Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-14851

Make AIA max auth Age configurable

    XMLWordPrintable

Details

    • Enhancement
    • Status: Closed
    • Major
    • Resolution: Done
    • None
    • 12.0.0
    • Authentication
    • None
    • NEW
    • NEW

    Description

      As of now, an AIA prompts for re-authentication only if:

       

      According to the discussion with the maintainers in KEYCLOAK-953https://github.com/keycloak/keycloak/pull/7176 This is considered as a security vulnerability since re-auth can be skipped If we have not reached the KC_ACTION_MAX_AGE, and also by removing the query parameter. 

       

      The solution would be to make KC_ACTION_MAX_AGE on a per AIA basis by adding a new method to the https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionProvider.java 

      The proposed solution is:

       

      int getMaxAuthAge() { return 300 }

      Attachments

        Issue Links

          Activity

            People

              ssilvert@redhat.com Stan Silvert
              zak.amine zakaria amine (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: