Kerberos & step-up mechanism

jermarchand · July 13, 2022, 12:47pm

Hi,

In the documentation, the browser flow to step-up is : Server Administration Guide

It work fine because the “CookieAuthenticator” take into account the LoA.

keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/authentication/authenticators/browser/CookieAuthenticator.java#L65


      
          
          
// Cookie re-authentication is skipped if re-authentication is required
          if (protocol.requireReauthentication(authResult.getSession(), authSession)) {
              // Full re-authentication, so we start with no loa
              acrStore.setLevelAuthenticatedToCurrentRequest(Constants.NO_LOA);
              authSession.setAuthNote(AuthenticationManager.FORCED_REAUTHENTICATION, "true");
              context.setForwardedInfoMessage(Messages.REAUTHENTICATE);
              context.attempted();
          } else {
              int previouslyAuthenticatedLevel = acrStore.getHighestAuthenticatedLevelFromPreviousAuthentication();
              if (acrStore.getRequestedLevelOfAuthentication() > previouslyAuthenticatedLevel) {
                  // Step-up authentication, we keep the loa from the existing user session.
                  // The cookie alone is not enough and other authentications must follow.
                  acrStore.setLevelAuthenticatedToCurrentRequest(previouslyAuthenticatedLevel);
                  context.attempted();
              } else {
                  // Cookie only authentication
                  acrStore.setLevelAuthenticatedToCurrentRequest(previouslyAuthenticatedLevel);
                  authSession.setAuthNote(AuthenticationManager.SSO_AUTH, "true");
                  context.attachUserSession(authResult.getSession());
                  context.success();

The “SpnegoAuthenticator” don’t check the LoA

Before submit a PR, I’m asking me if I miss something in the concepts or the documentation.

Thanks for your comments,

Br,

Topic		Replies	Views
Step-Up authentication combined with RequiredAction maxAuthAge	0	128	February 5, 2024
Skip kerberos sso authentication in keycloak	3	962	December 1, 2021
How are cookies used in operations Getting advice	0	1931	August 4, 2020
Generate a secondary step-up token Getting advice authentication	0	518	June 19, 2020
Can I skip login page using access_token + direct access grants with the browser flow? Getting advice	4	1682	June 21, 2022

Kerberos & step-up mechanism

Related Topics