libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-18826 FAPI-CIBA-ID1 conformance test : ID Token needs to include auth_time claim

Browse source
This commit is contained in:
Takashi Norimatsu 2021-07-19 14:51:24 +09:00 committed by Marek Posolda
parent 63f04c1118
commit f188f02d03
2 changed files with 12 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
services/src/main/java/org/keycloak/protocol/oidc/grants/ciba/CibaGrantType.java
View file

@ -26,6 +26,7 @@ import org.jboss.logging.Logger;
import org.keycloak.OAuthErrorException;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.common.Profile;
import org.keycloak.common.util.Time;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
@ -212,6 +213,9 @@ public class CibaGrantType {
ClientSessionContext clientSessionCtx = DefaultClientSessionContext
.fromClientSessionAndClientScopes(userSession.getAuthenticatedClientSessionByClient(client.getId()), TokenManager.getRequestedClientScopes(scopeParam, client), session);
int authTime = Time.currentTime();
userSession.setNote(AuthenticationManager.AUTH_TIME, String.valueOf(authTime));
return tokenEndpoint.createTokenResponse(user, userSession, clientSessionCtx, scopeParam, true);
}

8
testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/client/CIBATest.java
View file

@ -27,6 +27,7 @@ import org.apache.http.client.methods.CloseableHttpResponse;
import static org.hamcrest.Matchers.notNullValue;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
import static org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelResponse.Status.CANCELLED;
import static org.keycloak.protocol.oidc.grants.ciba.channel.AuthenticationChannelResponse.Status.SUCCEED;
@ -2111,6 +2112,8 @@ public class CIBATest extends AbstractClientPoliciesTest {
prepareCIBASettings(clientResource, clientRep);
if (isOfflineAccess) oauth.scope(OAuth2Constants.OFFLINE_ACCESS);
long startTime = Time.currentTime();
// user Backchannel Authentication Request
AuthenticationRequestAcknowledgement response = doBackchannelAuthenticationRequest(TEST_CLIENT_NAME, TEST_CLIENT_PASSWORD, username, bindingMessage, additionalParameters);
@ -2130,6 +2133,11 @@ public class CIBATest extends AbstractClientPoliciesTest {
// user Token Request
OAuthClient.AccessTokenResponse tokenRes = doBackchannelAuthenticationTokenRequest(username, response.getAuthReqId());
IDToken idToken = oauth.verifyIDToken(tokenRes.getIdToken());
long currentTime = Time.currentTime();
long authTime = idToken.getAuth_time().longValue();
assertTrue(startTime -5 <= authTime);
assertTrue(authTime <= currentTime + 5);
// token introspection
String tokenResponse = doIntrospectAccessTokenWithClientCredential(tokenRes, username);