Details
-
Enhancement
-
Status: Closed
-
Major
-
Resolution: Done
-
None
-
None
-
NEW
-
NEW
Description
As of now, an AIA prompts for re-authentication only if:
- there is query parameter with prompt=login (can be easily skipped by removing the query parameter, see discussion here: https://groups.google.com/forum/#!topic/keycloak-dev/dtytOITaIYw)
- If the last authentication time is before KC_ACTION_MAX_AGE https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/models/Constants.java#L81 see here for the logic: https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/OIDCLoginProtocol.java#L378
According to the discussion with the maintainers in KEYCLOAK-953: https://github.com/keycloak/keycloak/pull/7176 This is considered as a security vulnerability since re-auth can be skipped If we have not reached the KC_ACTION_MAX_AGE, and also by removing the query parameter.
The solution would be to make KC_ACTION_MAX_AGE on a per AIA basis by adding a new method to the https://github.com/keycloak/keycloak/blob/master/server-spi-private/src/main/java/org/keycloak/authentication/RequiredActionProvider.java
The proposed solution is:
int getMaxAuthAge() { return 300 }
Attachments
Issue Links
- blocks
-
KEYCLOAK-953 Allow user to delete account
-
- Closed
-