JanssenProject · yuriyz · Sep 12, 2022 · Sep 12, 2022
@@ -278,6 +278,7 @@ public class AppConfiguration implements Configuration {
 
     private ErrorHandlingMethod errorHandlingMethod = ErrorHandlingMethod.INTERNAL;
 
+    private Boolean disableAuthnForMaxAgeZero;
     private Boolean keepAuthenticatorAttributesOnAcrChange = false;
     private int deviceAuthzRequestExpiresIn;
     private int deviceAuthzTokenPollInterval;
@@ -2138,6 +2139,14 @@ public void setKeepAuthenticatorAttributesOnAcrChange(Boolean keepAuthenticatorA
         this.keepAuthenticatorAttributesOnAcrChange = keepAuthenticatorAttributesOnAcrChange;
     }
 
+    public Boolean getDisableAuthnForMaxAgeZero() {
+        return disableAuthnForMaxAgeZero;
+    }
+
+    public void setDisableAuthnForMaxAgeZero(Boolean disableAuthnForMaxAgeZero) {
+        this.disableAuthnForMaxAgeZero = disableAuthnForMaxAgeZero;
+    }
+
     public String getBackchannelClientId() {
         return backchannelClientId;
     }

@@ -36,6 +36,7 @@
 import io.jans.as.server.util.RedirectUtil;
 import io.jans.as.server.util.ServerUtil;
 import io.jans.orm.exception.EntryPersistenceException;
+import org.apache.commons.lang.BooleanUtils;
 import org.apache.commons.lang.StringUtils;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
@@ -151,16 +152,26 @@ public boolean isAuthnMaxAgeValid(Integer maxAge, SessionId sessionUser, Client
         if (maxAge == null) {
             maxAge = client.getDefaultMaxAge();
         }
+        if (maxAge == null) { // if not set, it's still valid
+            return true;
+        }
+
+        if (maxAge == 0) { // issue #2361: allow authentication for max_age=0
+            if (BooleanUtils.isTrue(appConfiguration.getDisableAuthnForMaxAgeZero())) {
+                return false;
+            }
+            return true;
+        }
+
 
         GregorianCalendar userAuthnTime = new GregorianCalendar(TimeZone.getTimeZone("UTC"));
         if (sessionUser.getAuthenticationTime() != null) {
             userAuthnTime.setTime(sessionUser.getAuthenticationTime());
         }
-        if (maxAge != null) {
-            userAuthnTime.add(Calendar.SECOND, maxAge);
-            return userAuthnTime.after(ServerUtil.now());
-        }
-        return true;
+
+        userAuthnTime.add(Calendar.SECOND, maxAge);
+        return userAuthnTime.after(ServerUtil.now());
+
     }
 
     public void validateRequestJwt(String request, String requestUri, RedirectUriResponse redirectUriResponse) {

@@ -0,0 +1,77 @@
+package io.jans.as.server.authorize.ws.rs;
+
+import io.jans.as.common.model.registration.Client;
+import io.jans.as.common.model.session.SessionId;
+import io.jans.as.model.configuration.AppConfiguration;
+import io.jans.as.model.error.ErrorResponseFactory;
+import io.jans.as.server.security.Identity;
+import io.jans.as.server.service.ClientService;
+import io.jans.as.server.service.DeviceAuthorizationService;
+import io.jans.as.server.service.RedirectionUriService;
+import io.jans.as.server.service.SessionIdService;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.testng.MockitoTestNGListener;
+import org.slf4j.Logger;
+import org.testng.annotations.Listeners;
+import org.testng.annotations.Test;
+
+import static org.mockito.Mockito.when;
+import static org.testng.Assert.assertFalse;
+import static org.testng.Assert.assertTrue;
+
+/**
+ * @author Yuriy Z
+ */
+@Listeners(MockitoTestNGListener.class)
+public class AuthorizeRestWebServiceValidatorTest {
+
+    @InjectMocks
+    private AuthorizeRestWebServiceValidator authorizeRestWebServiceValidator;
+
+    @Mock
+    private Logger log;
+
+    @Mock
+    private ErrorResponseFactory errorResponseFactory;
+
+    @Mock
+    private ClientService clientService;
+
+    @Mock
+    private RedirectionUriService redirectionUriService;
+
+    @Mock
+    private DeviceAuthorizationService deviceAuthorizationService;
+
+    @Mock
+    private AppConfiguration appConfiguration;
+
+    @Mock
+    private SessionIdService sessionIdService;
+
+    @Mock
+    private Identity identity;
+
+    @Test
+    public void isAuthnMaxAgeValid_whenMaxAgeIsZero_shouldReturnTrue() {
+        assertTrue(authorizeRestWebServiceValidator.isAuthnMaxAgeValid(0, new SessionId(), new Client()));
+    }
+
+    @Test
+    public void isAuthnMaxAgeValid_whenMaxAgeIsZeroAndDisableAuthnForMaxAgeZeroIsFalse_shouldReturnTrue() {
+        when(appConfiguration.getDisableAuthnForMaxAgeZero()).thenReturn(false);
+        assertTrue(authorizeRestWebServiceValidator.isAuthnMaxAgeValid(0, new SessionId(), new Client()));
+    }
+
+    @Test
+    public void isAuthnMaxAgeValid_whenMaxAgeIsZeroAndDisableAuthnForMaxAgeZeroIsTrue_shouldReturnFalse() {
+        when(appConfiguration.getDisableAuthnForMaxAgeZero()).thenReturn(true);
+        assertFalse(authorizeRestWebServiceValidator.isAuthnMaxAgeValid(0, new SessionId(), new Client()));
+    }
+
+    @Test
+    public void isAuthnMaxAgeValid_whenMaxAgeIsNull_shouldReturnTrue() {
+        assertTrue(authorizeRestWebServiceValidator.isAuthnMaxAgeValid(0, new SessionId(), new Client()));
+    }
+}
@@ -8,16 +8,19 @@
 
     <test name="Unit Tests" enabled="true">
         <classes>
-            <class name="io.jans.as.server.ws.rs.stat.MonthsTest" />
-            <class name="io.jans.as.server.service.MTLSServiceTest" />
+            <class name="io.jans.as.server.model.CIBAGrantTest" />
             <class name="io.jans.as.server.model.authorize.JwtAuthorizationRequestTest" />
-			<class name="io.jans.as.server.service.ScopeServiceTest" />
-			<class name="io.jans.as.server.service.SpontaneousScopeServiceTest" />
-			<class name="io.jans.as.server.model.CIBAGrantTest" />
-			<class name="io.jans.as.server.service.RedirectionUriServiceTest" />
-			<class name="io.jans.as.server.service.external.ExternalAuthenticationServiceTest" />
-			<class name="io.jans.as.server.token.ws.rs.TokenRestWebServiceValidatorTest" />
-			<class name="io.jans.as.server.servlet.OpenIdConfigurationTest" />
+
+            <class name="io.jans.as.server.service.MTLSServiceTest" />
+            <class name="io.jans.as.server.service.ScopeServiceTest" />
+            <class name="io.jans.as.server.service.SpontaneousScopeServiceTest" />
+            <class name="io.jans.as.server.service.RedirectionUriServiceTest" />
+            <class name="io.jans.as.server.service.external.ExternalAuthenticationServiceTest" />
+            <class name="io.jans.as.server.servlet.OpenIdConfigurationTest" />
+
+            <class name="io.jans.as.server.token.ws.rs.TokenRestWebServiceValidatorTest" />
+            <class name="io.jans.as.server.ws.rs.stat.MonthsTest" />
+            <class name="io.jans.as.server.authorize.ws.rs.AuthorizeRestWebServiceValidatorTest" />
         </classes>
     </test>
 

@@ -4270,6 +4270,8 @@ components:
           - remote
         keepAuthenticatorAttributesOnAcrChange:
           type: boolean
+        disableAuthnForMaxAgeZero:
+          type: boolean
         deviceAuthzRequestExpiresIn:
           type: integer
           format: int32

@@ -5227,6 +5227,9 @@ components:
         keepAuthenticatorAttributesOnAcrChange:
           type: boolean
           description: Boolean value specifying whether to keep authenticator attributes on ACR change.
+        disableAuthnForMaxAgeZero:
+          type: boolean
+          description: Boolean value specifying whether to disable authentication when max_age=0 (false by default)
         deviceAuthzRequestExpiresIn:
           type: integer
           description: Expiration time given for device authorization requests.