KEYCLOAK-5248 auth_time is not updated when reauthentication is requested with 'login=prompt'

services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java

@@ -51,7 +51,7 @@ public class CookieAuthenticator implements Authenticator {
             if (protocol.requireReauthentication(authResult.getSession(), clientSession)) {
                 context.attempted();
             } else {
-                clientSession.setClientNote(AuthenticationManager.SSO_AUTH, "true");
+                context.getSession().setAttribute(AuthenticationManager.SSO_AUTH, "true");
 
                 context.setUser(authResult.getUser());
                 context.attachUserSession(authResult.getSession());

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java

@@ -463,9 +463,13 @@ public class AuthenticationManager {
         }
 
         // Update userSession note with authTime. But just if flag SSO_AUTH is not set
-        if (!isSSOAuthentication(clientSession)) {
+        boolean isSSOAuthentication = "true".equals(session.getAttribute(SSO_AUTH));
+        if (isSSOAuthentication) {
+            clientSession.setNote(SSO_AUTH, "true");
+        } else {
             int authTime = Time.currentTime();
             userSession.setNote(AUTH_TIME, String.valueOf(authTime));
+            clientSession.removeNote(SSO_AUTH);
         }
 
         return protocol.authenticated(userSession, clientSession);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java

@@ -287,6 +287,18 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
         // Set time offset
         setTimeOffset(10);
 
+        // SSO login first WITHOUT prompt=login ( Tests KEYCLOAK-5248 )
+        driver.navigate().to(oauth.getLoginFormUrl());
+        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
+        loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
+        IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
+
+        // Assert that authTime wasn't updated
+        Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime());
+
+        // Set time offset
+        setTimeOffset(20);
+
         // Assert need to re-authenticate with prompt=login
         driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=login");
 
@@ -295,10 +307,11 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
         Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
 
         loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
-        IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
+        newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
 
         // Assert that authTime was updated
-        Assert.assertTrue(oldIdToken.getAuthTime() + 10 <= newIdToken.getAuthTime());
+        Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(),
+                oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime());
 
         // Assert userSession didn't change
         Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());