Merge pull request #4453 from mposolda/master
KEYCLOAK-5248 auth_time is not updated when reauthentication is requested with login=prompt
This commit is contained in:
commit
ff354f6edc
3 changed files with 24 additions and 7 deletions
|
@ -51,7 +51,7 @@ public class CookieAuthenticator implements Authenticator {
|
|||
if (protocol.requireReauthentication(authResult.getSession(), clientSession)) {
|
||||
context.attempted();
|
||||
} else {
|
||||
clientSession.setClientNote(AuthenticationManager.SSO_AUTH, "true");
|
||||
context.getSession().setAttribute(AuthenticationManager.SSO_AUTH, "true");
|
||||
|
||||
context.setUser(authResult.getUser());
|
||||
context.attachUserSession(authResult.getSession());
|
||||
|
|
|
@ -463,9 +463,13 @@ public class AuthenticationManager {
|
|||
}
|
||||
|
||||
// Update userSession note with authTime. But just if flag SSO_AUTH is not set
|
||||
if (!isSSOAuthentication(clientSession)) {
|
||||
boolean isSSOAuthentication = "true".equals(session.getAttribute(SSO_AUTH));
|
||||
if (isSSOAuthentication) {
|
||||
clientSession.setNote(SSO_AUTH, "true");
|
||||
} else {
|
||||
int authTime = Time.currentTime();
|
||||
userSession.setNote(AUTH_TIME, String.valueOf(authTime));
|
||||
clientSession.removeNote(SSO_AUTH);
|
||||
}
|
||||
|
||||
return protocol.authenticated(userSession, clientSession);
|
||||
|
|
|
@ -282,12 +282,23 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
|
|||
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
||||
|
||||
EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
|
||||
IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);
|
||||
int authTime = idToken.getAuthTime();
|
||||
IDToken oldIdToken = sendTokenRequestAndGetIDToken(loginEvent);
|
||||
|
||||
// Set time offset
|
||||
setTimeOffset(10);
|
||||
|
||||
// SSO login first WITHOUT prompt=login ( Tests KEYCLOAK-5248 )
|
||||
driver.navigate().to(oauth.getLoginFormUrl());
|
||||
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
||||
loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
|
||||
IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
|
||||
|
||||
// Assert that authTime wasn't updated
|
||||
Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime());
|
||||
|
||||
// Set time offset
|
||||
setTimeOffset(20);
|
||||
|
||||
// Assert need to re-authenticate with prompt=login
|
||||
driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=login");
|
||||
|
||||
|
@ -296,12 +307,14 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
|
|||
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
||||
|
||||
loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
|
||||
idToken = sendTokenRequestAndGetIDToken(loginEvent);
|
||||
int authTimeUpdated = idToken.getAuthTime();
|
||||
newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
|
||||
|
||||
// Assert that authTime was updated
|
||||
Assert.assertTrue(authTime + 10 <= authTimeUpdated);
|
||||
Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(),
|
||||
oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime());
|
||||
|
||||
// Assert userSession didn't change
|
||||
Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());
|
||||
}
|
||||
|
||||
|
||||
|
|
Loading…
Reference in a new issue