Details
diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java
index cf7e1a0..e2e1ee1 100755
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java
@@ -51,7 +51,7 @@ public class CookieAuthenticator implements Authenticator {
if (protocol.requireReauthentication(authResult.getSession(), clientSession)) {
context.attempted();
} else {
- clientSession.setClientNote(AuthenticationManager.SSO_AUTH, "true");
+ context.getSession().setAttribute(AuthenticationManager.SSO_AUTH, "true");
context.setUser(authResult.getUser());
context.attachUserSession(authResult.getSession());
diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
index fa9fec6..4daee92 100755
--- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
@@ -463,9 +463,13 @@ public class AuthenticationManager {
}
// Update userSession note with authTime. But just if flag SSO_AUTH is not set
- if (!isSSOAuthentication(clientSession)) {
+ boolean isSSOAuthentication = "true".equals(session.getAttribute(SSO_AUTH));
+ if (isSSOAuthentication) {
+ clientSession.setNote(SSO_AUTH, "true");
+ } else {
int authTime = Time.currentTime();
userSession.setNote(AUTH_TIME, String.valueOf(authTime));
+ clientSession.removeNote(SSO_AUTH);
}
return protocol.authenticated(userSession, clientSession);
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
index 1c71ab4..f558ede 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
@@ -287,6 +287,18 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
// Set time offset
setTimeOffset(10);
+ // SSO login first WITHOUT prompt=login ( Tests KEYCLOAK-5248 )
+ driver.navigate().to(oauth.getLoginFormUrl());
+ Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
+ loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
+ IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
+
+ // Assert that authTime wasn't updated
+ Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime());
+
+ // Set time offset
+ setTimeOffset(20);
+
// Assert need to re-authenticate with prompt=login
driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=login");
@@ -295,10 +307,11 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
- IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
+ newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
// Assert that authTime was updated
- Assert.assertTrue(oldIdToken.getAuthTime() + 10 <= newIdToken.getAuthTime());
+ Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(),
+ oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime());
// Assert userSession didn't change
Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());
