Merge pull request #4453 from mposolda/master

KEYCLOAK-5248 auth_time is not updated when reauthentication is requested with login=prompt
This commit is contained in:
Marek Posolda 2017-09-05 13:52:37 +02:00 committed by GitHub
commit ff354f6edc
3 changed files with 24 additions and 7 deletions

View file

@ -51,7 +51,7 @@ public class CookieAuthenticator implements Authenticator {
if (protocol.requireReauthentication(authResult.getSession(), clientSession)) { if (protocol.requireReauthentication(authResult.getSession(), clientSession)) {
context.attempted(); context.attempted();
} else { } else {
clientSession.setClientNote(AuthenticationManager.SSO_AUTH, "true"); context.getSession().setAttribute(AuthenticationManager.SSO_AUTH, "true");
context.setUser(authResult.getUser()); context.setUser(authResult.getUser());
context.attachUserSession(authResult.getSession()); context.attachUserSession(authResult.getSession());

View file

@ -463,9 +463,13 @@ public class AuthenticationManager {
} }
// Update userSession note with authTime. But just if flag SSO_AUTH is not set // Update userSession note with authTime. But just if flag SSO_AUTH is not set
if (!isSSOAuthentication(clientSession)) { boolean isSSOAuthentication = "true".equals(session.getAttribute(SSO_AUTH));
if (isSSOAuthentication) {
clientSession.setNote(SSO_AUTH, "true");
} else {
int authTime = Time.currentTime(); int authTime = Time.currentTime();
userSession.setNote(AUTH_TIME, String.valueOf(authTime)); userSession.setNote(AUTH_TIME, String.valueOf(authTime));
clientSession.removeNote(SSO_AUTH);
} }
return protocol.authenticated(userSession, clientSession); return protocol.authenticated(userSession, clientSession);

View file

@ -282,12 +282,23 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent(); EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent); IDToken oldIdToken = sendTokenRequestAndGetIDToken(loginEvent);
int authTime = idToken.getAuthTime();
// Set time offset // Set time offset
setTimeOffset(10); setTimeOffset(10);
// SSO login first WITHOUT prompt=login ( Tests KEYCLOAK-5248 )
driver.navigate().to(oauth.getLoginFormUrl());
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
// Assert that authTime wasn't updated
Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime());
// Set time offset
setTimeOffset(20);
// Assert need to re-authenticate with prompt=login // Assert need to re-authenticate with prompt=login
driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=login"); driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=login");
@ -296,12 +307,14 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType()); Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent(); loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
idToken = sendTokenRequestAndGetIDToken(loginEvent); newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
int authTimeUpdated = idToken.getAuthTime();
// Assert that authTime was updated // Assert that authTime was updated
Assert.assertTrue(authTime + 10 <= authTimeUpdated); Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(),
oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime());
// Assert userSession didn't change
Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());
} }