From 30d8a7503b8daec015364d63af3ea0d33ab7b143 Mon Sep 17 00:00:00 2001
From: mposolda <mposolda@gmail.com>
Date: Tue, 5 Sep 2017 11:40:52 +0200
Subject: [PATCH 1/2] KEYCLOAK-5326 Test that userSession is still the same
 after prompt=login

---
 .../testsuite/oidc/OIDCAdvancedRequestParamsTest.java  | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
index 03522d66fd..1c71ab4973 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
@@ -282,8 +282,7 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
         Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
 
         EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
-        IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);
-        int authTime = idToken.getAuthTime();
+        IDToken oldIdToken = sendTokenRequestAndGetIDToken(loginEvent);
 
         // Set time offset
         setTimeOffset(10);
@@ -296,12 +295,13 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
         Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
 
         loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
-        idToken = sendTokenRequestAndGetIDToken(loginEvent);
-        int authTimeUpdated = idToken.getAuthTime();
+        IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
 
         // Assert that authTime was updated
-        Assert.assertTrue(authTime + 10 <= authTimeUpdated);
+        Assert.assertTrue(oldIdToken.getAuthTime() + 10 <= newIdToken.getAuthTime());
 
+        // Assert userSession didn't change
+        Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());
     }
 
 

From fe43c268299dd48d9b3045730a0f6839762e0a0f Mon Sep 17 00:00:00 2001
From: mposolda <mposolda@gmail.com>
Date: Tue, 5 Sep 2017 12:22:01 +0200
Subject: [PATCH 2/2] KEYCLOAK-5248 auth_time is not updated when
 reauthentication is requested with 'login=prompt'

---
 .../browser/CookieAuthenticator.java            |  2 +-
 .../managers/AuthenticationManager.java         |  6 +++++-
 .../oidc/OIDCAdvancedRequestParamsTest.java     | 17 +++++++++++++++--
 3 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java
index cf7e1a0ba2..e2e1ee1de4 100755
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java
@@ -51,7 +51,7 @@ public class CookieAuthenticator implements Authenticator {
             if (protocol.requireReauthentication(authResult.getSession(), clientSession)) {
                 context.attempted();
             } else {
-                clientSession.setClientNote(AuthenticationManager.SSO_AUTH, "true");
+                context.getSession().setAttribute(AuthenticationManager.SSO_AUTH, "true");
 
                 context.setUser(authResult.getUser());
                 context.attachUserSession(authResult.getSession());
diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
index fa9fec6313..4daee92f54 100755
--- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
@@ -463,9 +463,13 @@ public class AuthenticationManager {
         }
 
         // Update userSession note with authTime. But just if flag SSO_AUTH is not set
-        if (!isSSOAuthentication(clientSession)) {
+        boolean isSSOAuthentication = "true".equals(session.getAttribute(SSO_AUTH));
+        if (isSSOAuthentication) {
+            clientSession.setNote(SSO_AUTH, "true");
+        } else {
             int authTime = Time.currentTime();
             userSession.setNote(AUTH_TIME, String.valueOf(authTime));
+            clientSession.removeNote(SSO_AUTH);
         }
 
         return protocol.authenticated(userSession, clientSession);
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
index 1c71ab4973..f558ede702 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
@@ -287,6 +287,18 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
         // Set time offset
         setTimeOffset(10);
 
+        // SSO login first WITHOUT prompt=login ( Tests KEYCLOAK-5248 )
+        driver.navigate().to(oauth.getLoginFormUrl());
+        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
+        loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
+        IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
+
+        // Assert that authTime wasn't updated
+        Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime());
+
+        // Set time offset
+        setTimeOffset(20);
+
         // Assert need to re-authenticate with prompt=login
         driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=login");
 
@@ -295,10 +307,11 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
         Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
 
         loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
-        IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
+        newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
 
         // Assert that authTime was updated
-        Assert.assertTrue(oldIdToken.getAuthTime() + 10 <= newIdToken.getAuthTime());
+        Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(),
+                oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime());
 
         // Assert userSession didn't change
         Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());