diff --git a/services/src/main/java/org/keycloak/organization/authentication/authenticators/browser/OrganizationAuthenticator.java b/services/src/main/java/org/keycloak/organization/authentication/authenticators/browser/OrganizationAuthenticator.java index 05897fddb2d..a8c268f9659 100644 --- a/services/src/main/java/org/keycloak/organization/authentication/authenticators/browser/OrganizationAuthenticator.java +++ b/services/src/main/java/org/keycloak/organization/authentication/authenticators/browser/OrganizationAuthenticator.java @@ -314,8 +314,11 @@ public class OrganizationAuthenticator extends IdentityProviderAuthenticator { return; } - // user is re-authenticating and there are no organizations to select + // user is re-authenticating, and there are no organizations to select context.success(); + } else { + // user is re-authenticating, there is no organization to process + context.attempted(); } } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/authentication/OrganizationAuthenticationTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/authentication/OrganizationAuthenticationTest.java index e48103cbb8f..2fbb17f0b77 100644 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/authentication/OrganizationAuthenticationTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/organization/authentication/OrganizationAuthenticationTest.java @@ -17,14 +17,17 @@ package org.keycloak.testsuite.organization.authentication; +import static org.hamcrest.CoreMatchers.is; import static org.hamcrest.MatcherAssert.assertThat; import static org.keycloak.testsuite.broker.BrokerTestTools.waitForPage; import java.io.IOException; +import org.hamcrest.Matcher; import org.hamcrest.Matchers; import org.junit.Test; import org.keycloak.admin.client.resource.OrganizationResource; +import org.keycloak.models.UserModel.RequiredAction; import org.keycloak.representations.idm.UserRepresentation; import org.keycloak.testsuite.Assert; import org.keycloak.testsuite.organization.admin.AbstractOrganizationTest; @@ -102,4 +105,33 @@ public class OrganizationAuthenticationTest extends AbstractOrganizationTest { appPage.assertCurrent(); } } + + @Test + public void testForceReAuthenticationBeforeRequiredAction() { + OrganizationResource organization = testRealm().organizations().get(createOrganization().getId()); + UserRepresentation member = addMember(organization); + + oauth.clientId("broker-app"); + loginPage.open(bc.consumerRealmName()); + loginPage.loginUsername(member.getEmail()); + loginPage.login(memberPassword); + appPage.assertCurrent(); + + try { + setTimeOffset(10); + oauth.maxAge("1"); + oauth.kcAction(RequiredAction.UPDATE_PASSWORD.name()); + loginPage.open(bc.consumerRealmName()); + loginPage.assertCurrent(); + Matcher expectedInfo = is("Please re-authenticate to continue"); + assertThat(loginPage.getInfoMessage(), expectedInfo); + loginPage.login(memberPassword); + updatePasswordPage.updatePasswords(memberPassword, memberPassword); + appPage.assertCurrent(); + } finally { + resetTimeOffset(); + oauth.kcAction(null); + oauth.maxAge(null); + } + } }