From fe43c268299dd48d9b3045730a0f6839762e0a0f Mon Sep 17 00:00:00 2001 From: mposolda Date: Tue, 5 Sep 2017 12:22:01 +0200 Subject: [PATCH] KEYCLOAK-5248 auth_time is not updated when reauthentication is requested with 'login=prompt' --- .../browser/CookieAuthenticator.java | 2 +- .../managers/AuthenticationManager.java | 6 +++++- .../oidc/OIDCAdvancedRequestParamsTest.java | 17 +++++++++++++++-- 3 files changed, 21 insertions(+), 4 deletions(-) diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java index cf7e1a0ba2..e2e1ee1de4 100755 --- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java +++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java @@ -51,7 +51,7 @@ public class CookieAuthenticator implements Authenticator { if (protocol.requireReauthentication(authResult.getSession(), clientSession)) { context.attempted(); } else { - clientSession.setClientNote(AuthenticationManager.SSO_AUTH, "true"); + context.getSession().setAttribute(AuthenticationManager.SSO_AUTH, "true"); context.setUser(authResult.getUser()); context.attachUserSession(authResult.getSession()); diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java index fa9fec6313..4daee92f54 100755 --- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java +++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java @@ -463,9 +463,13 @@ public class AuthenticationManager { } // Update userSession note with authTime. But just if flag SSO_AUTH is not set - if (!isSSOAuthentication(clientSession)) { + boolean isSSOAuthentication = "true".equals(session.getAttribute(SSO_AUTH)); + if (isSSOAuthentication) { + clientSession.setNote(SSO_AUTH, "true"); + } else { int authTime = Time.currentTime(); userSession.setNote(AUTH_TIME, String.valueOf(authTime)); + clientSession.removeNote(SSO_AUTH); } return protocol.authenticated(userSession, clientSession); diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java index 1c71ab4973..f558ede702 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java @@ -287,6 +287,18 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest // Set time offset setTimeOffset(10); + // SSO login first WITHOUT prompt=login ( Tests KEYCLOAK-5248 ) + driver.navigate().to(oauth.getLoginFormUrl()); + Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); + loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent(); + IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent); + + // Assert that authTime wasn't updated + Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime()); + + // Set time offset + setTimeOffset(20); + // Assert need to re-authenticate with prompt=login driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=login"); @@ -295,10 +307,11 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent(); - IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent); + newIdToken = sendTokenRequestAndGetIDToken(loginEvent); // Assert that authTime was updated - Assert.assertTrue(oldIdToken.getAuthTime() + 10 <= newIdToken.getAuthTime()); + Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(), + oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime()); // Assert userSession didn't change Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());