Merge pull request #4453 from mposolda/master
KEYCLOAK-5248 auth_time is not updated when reauthentication is requested with login=prompt
This commit is contained in:
commit
ff354f6edc
3 changed files with 24 additions and 7 deletions
|
@ -51,7 +51,7 @@ public class CookieAuthenticator implements Authenticator {
|
||||||
if (protocol.requireReauthentication(authResult.getSession(), clientSession)) {
|
if (protocol.requireReauthentication(authResult.getSession(), clientSession)) {
|
||||||
context.attempted();
|
context.attempted();
|
||||||
} else {
|
} else {
|
||||||
clientSession.setClientNote(AuthenticationManager.SSO_AUTH, "true");
|
context.getSession().setAttribute(AuthenticationManager.SSO_AUTH, "true");
|
||||||
|
|
||||||
context.setUser(authResult.getUser());
|
context.setUser(authResult.getUser());
|
||||||
context.attachUserSession(authResult.getSession());
|
context.attachUserSession(authResult.getSession());
|
||||||
|
|
|
@ -463,9 +463,13 @@ public class AuthenticationManager {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Update userSession note with authTime. But just if flag SSO_AUTH is not set
|
// Update userSession note with authTime. But just if flag SSO_AUTH is not set
|
||||||
if (!isSSOAuthentication(clientSession)) {
|
boolean isSSOAuthentication = "true".equals(session.getAttribute(SSO_AUTH));
|
||||||
|
if (isSSOAuthentication) {
|
||||||
|
clientSession.setNote(SSO_AUTH, "true");
|
||||||
|
} else {
|
||||||
int authTime = Time.currentTime();
|
int authTime = Time.currentTime();
|
||||||
userSession.setNote(AUTH_TIME, String.valueOf(authTime));
|
userSession.setNote(AUTH_TIME, String.valueOf(authTime));
|
||||||
|
clientSession.removeNote(SSO_AUTH);
|
||||||
}
|
}
|
||||||
|
|
||||||
return protocol.authenticated(userSession, clientSession);
|
return protocol.authenticated(userSession, clientSession);
|
||||||
|
|
|
@ -282,12 +282,23 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
|
||||||
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
||||||
|
|
||||||
EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
|
EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
|
||||||
IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);
|
IDToken oldIdToken = sendTokenRequestAndGetIDToken(loginEvent);
|
||||||
int authTime = idToken.getAuthTime();
|
|
||||||
|
|
||||||
// Set time offset
|
// Set time offset
|
||||||
setTimeOffset(10);
|
setTimeOffset(10);
|
||||||
|
|
||||||
|
// SSO login first WITHOUT prompt=login ( Tests KEYCLOAK-5248 )
|
||||||
|
driver.navigate().to(oauth.getLoginFormUrl());
|
||||||
|
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
||||||
|
loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
|
||||||
|
IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
|
||||||
|
|
||||||
|
// Assert that authTime wasn't updated
|
||||||
|
Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime());
|
||||||
|
|
||||||
|
// Set time offset
|
||||||
|
setTimeOffset(20);
|
||||||
|
|
||||||
// Assert need to re-authenticate with prompt=login
|
// Assert need to re-authenticate with prompt=login
|
||||||
driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=login");
|
driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=login");
|
||||||
|
|
||||||
|
@ -296,12 +307,14 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
|
||||||
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
|
||||||
|
|
||||||
loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
|
loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
|
||||||
idToken = sendTokenRequestAndGetIDToken(loginEvent);
|
newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
|
||||||
int authTimeUpdated = idToken.getAuthTime();
|
|
||||||
|
|
||||||
// Assert that authTime was updated
|
// Assert that authTime was updated
|
||||||
Assert.assertTrue(authTime + 10 <= authTimeUpdated);
|
Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(),
|
||||||
|
oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime());
|
||||||
|
|
||||||
|
// Assert userSession didn't change
|
||||||
|
Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue