From 95e0e944d96bb524f50ab35c3dffdd993cb5d92a Mon Sep 17 00:00:00 2001
From: Douglas Palmer <dpalmer@redhat.com>
Date: Sat, 13 Jan 2024 15:01:46 -0800
Subject: [PATCH] Invalidate authentication session on repeated Recovery Code
 failures Closes #26180

Signed-off-by: Douglas Palmer <dpalmer@redhat.com>
---
 .../browser/RecoveryAuthnCodesFormAuthenticator.java       | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/services/src/main/java/org/keycloak/authentication/authenticators/browser/RecoveryAuthnCodesFormAuthenticator.java b/services/src/main/java/org/keycloak/authentication/authenticators/browser/RecoveryAuthnCodesFormAuthenticator.java
index 3f3effa679ae..a0a3c704beb1 100644
--- a/services/src/main/java/org/keycloak/authentication/authenticators/browser/RecoveryAuthnCodesFormAuthenticator.java
+++ b/services/src/main/java/org/keycloak/authentication/authenticators/browser/RecoveryAuthnCodesFormAuthenticator.java
@@ -48,13 +48,13 @@ private boolean isRecoveryAuthnCodeInputValid(AuthenticationFlowContext authnFlo
         MultivaluedMap<String, String> formParamsMap = authnFlowContext.getHttpRequest().getDecodedFormParameters();
         String recoveryAuthnCodeUserInput = formParamsMap.getFirst(RecoveryAuthnCodesUtils.FIELD_RECOVERY_CODE_IN_BROWSER_FLOW);
 
-        if (ObjectUtil.isBlank(recoveryAuthnCodeUserInput)) {
+        if (ObjectUtil.isBlank(recoveryAuthnCodeUserInput)
+                || "true".equals(authnFlowContext.getAuthenticationSession().getAuthNote(AbstractUsernameFormAuthenticator.SESSION_INVALID))) {
             authnFlowContext.forceChallenge(createLoginForm(authnFlowContext, true,
                     RecoveryAuthnCodesUtils.RECOVERY_AUTHN_CODES_INPUT_DEFAULT_ERROR_MESSAGE,
                     RecoveryAuthnCodesUtils.FIELD_RECOVERY_CODE_IN_BROWSER_FLOW));
             return result;
         }
-        RealmModel targetRealm = authnFlowContext.getRealm();
         UserModel authenticatedUser = authnFlowContext.getUser();
         if (!isDisabledByBruteForce(authnFlowContext, authenticatedUser)) {
             boolean isValid = authenticatedUser.credentialManager().isValid(
@@ -82,6 +82,9 @@ private boolean isRecoveryAuthnCodeInputValid(AuthenticationFlowContext authnFlo
                 }
             }
         }
+        else {
+            authnFlowContext.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.SESSION_INVALID, "true");
+        }
         return result;
     }