keycloak-aplcache

Merge pull request #4453 from mposolda/master KEYCLOAK-5248 …

9/5/2017 8:52:37 AM

auth_time is not updated when reauthentication is requested with login=prompt

Marek Posolda

Commit: ff354f6

Tree: d9bc745

Parents: bb9a133
fe43c26

Changes

services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java 2(+1 -1)

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java 6(+5 -1)

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java 23(+18 -5)

Details

services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java 2(+1 -1)

diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java
index cf7e1a0..e2e1ee1 100755
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java
@@ -51,7 +51,7 @@ public class CookieAuthenticator implements Authenticator {
             if (protocol.requireReauthentication(authResult.getSession(), clientSession)) {
                 context.attempted();
             } else {
-                clientSession.setClientNote(AuthenticationManager.SSO_AUTH, "true");
+                context.getSession().setAttribute(AuthenticationManager.SSO_AUTH, "true");
 
                 context.setUser(authResult.getUser());
                 context.attachUserSession(authResult.getSession());

services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java 6(+5 -1)

diff --git a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
index fa9fec6..4daee92 100755
--- a/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
+++ b/services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
@@ -463,9 +463,13 @@ public class AuthenticationManager {
         }
 
         // Update userSession note with authTime. But just if flag SSO_AUTH is not set
-        if (!isSSOAuthentication(clientSession)) {
+        boolean isSSOAuthentication = "true".equals(session.getAttribute(SSO_AUTH));
+        if (isSSOAuthentication) {
+            clientSession.setNote(SSO_AUTH, "true");
+        } else {
             int authTime = Time.currentTime();
             userSession.setNote(AUTH_TIME, String.valueOf(authTime));
+            clientSession.removeNote(SSO_AUTH);
         }
 
         return protocol.authenticated(userSession, clientSession);

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java 23(+18 -5)

diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
index 03522d6..f558ede 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/oidc/OIDCAdvancedRequestParamsTest.java
@@ -282,12 +282,23 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
         Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
 
         EventRepresentation loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
-        IDToken idToken = sendTokenRequestAndGetIDToken(loginEvent);
-        int authTime = idToken.getAuthTime();
+        IDToken oldIdToken = sendTokenRequestAndGetIDToken(loginEvent);
 
         // Set time offset
         setTimeOffset(10);
 
+        // SSO login first WITHOUT prompt=login ( Tests KEYCLOAK-5248 )
+        driver.navigate().to(oauth.getLoginFormUrl());
+        Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
+        loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
+        IDToken newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
+
+        // Assert that authTime wasn't updated
+        Assert.assertEquals(oldIdToken.getAuthTime(), newIdToken.getAuthTime());
+
+        // Set time offset
+        setTimeOffset(20);
+
         // Assert need to re-authenticate with prompt=login
         driver.navigate().to(oauth.getLoginFormUrl() + "&prompt=login");
 
@@ -296,12 +307,14 @@ public class OIDCAdvancedRequestParamsTest extends AbstractTestRealmKeycloakTest
         Assert.assertEquals(AppPage.RequestType.AUTH_RESPONSE, appPage.getRequestType());
 
         loginEvent = events.expectLogin().detail(Details.USERNAME, "test-user@localhost").assertEvent();
-        idToken = sendTokenRequestAndGetIDToken(loginEvent);
-        int authTimeUpdated = idToken.getAuthTime();
+        newIdToken = sendTokenRequestAndGetIDToken(loginEvent);
 
         // Assert that authTime was updated
-        Assert.assertTrue(authTime + 10 <= authTimeUpdated);
+        Assert.assertTrue("Expected auth time to change. old auth time: " + oldIdToken.getAuthTime() + " , new auth time: " + newIdToken.getAuthTime(),
+                oldIdToken.getAuthTime() + 20 <= newIdToken.getAuthTime());
 
+        // Assert userSession didn't change
+        Assert.assertEquals(oldIdToken.getSessionState(), newIdToken.getSessionState());
     }