Invalidate authentication session on repeated OTP failures

Closes keycloak#26177 Signed-off-by: Douglas Palmer <[email protected]>
tnorimat · Jan 19, 2024 · 18d0105 · 18d0105
1 parent 972d198
commit 18d0105
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/...rc/main/java/org/keycloak/authentication/authenticators/browser/OTPFormAuthenticator.java b/...rc/main/java/org/keycloak/authentication/authenticators/browser/OTPFormAuthenticator.java
@@ -35,6 +35,7 @@
 import org.keycloak.models.UserCredentialModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.credential.OTPCredentialModel;
+import org.keycloak.services.managers.AuthenticationSessionManager;
 import org.keycloak.services.messages.Messages;
 import org.keycloak.services.validation.Validation;
 import org.keycloak.sessions.AuthenticationSessionModel;
@@ -89,6 +90,7 @@ public void validateOTP(AuthenticationFlowContext context) {
         UserModel userModel = context.getUser();
         if (!enabledUser(context, userModel)) {
             // error in context is set in enabledUser/isDisabledByBruteForce
+            new AuthenticationSessionManager(context.getSession()).removeAuthenticationSession(context.getRealm(), context.getAuthenticationSession(), true);
             return;
         }
 

diff --git a/...tion-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java b/...tion-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/BruteForceTest.java
@@ -455,9 +455,6 @@ public void testBrowserInvalidTotp() throws Exception {
         loginInvalidPassword();
         loginWithTotpFailure();
         continueLoginWithCorrectTotpExpectFailure();
-        continueLoginWithInvalidTotp();
-        clearUserFailures();
-        continueLoginWithTotp();
     }
 
     @Test
@@ -466,13 +463,14 @@ public void testBrowserMissingTotp() throws Exception {
         loginWithMissingTotp();
         loginWithMissingTotp();
         continueLoginWithMissingTotp();
-        continueLoginWithCorrectTotpExpectFailure();
-        // wait to unlock
-        testingClient.testing().setTimeOffset(Collections.singletonMap("offset", String.valueOf(6)));
-
-        continueLoginWithTotp();
+    }
 
-        testingClient.testing().setTimeOffset(Collections.singletonMap("offset", String.valueOf(0)));
+    @Test
+    public void testBrowserTotpSessionClosedAfterLockout() throws Exception {
+        long start = System.currentTimeMillis();
+        loginWithTotpFailure();
+        continueLoginWithInvalidTotp();
+        loginPage.assertCurrent();
     }
 
     @Test