Generate RESTART_AUTHENTICATION event on success

Closes keycloak#29385

Signed-off-by: rmartinc <[email protected]>
(cherry picked from commit b258b45)

services/src/main/java/org/keycloak/services/resources/LoginActionsService.java

@@ -231,6 +231,10 @@ public Response restartSession(@QueryParam(AUTH_SESSION_ID) String authSessionId
             return checks.getResponse();
         }
 
+        event.user(authSession.getAuthenticatedUser());
+        event.detail(Details.USERNAME, authSession.getAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME));
+        event.detail(Details.AUTH_METHOD, authSession.getProtocol());
+
         String flowPath = authSession.getClientNote(AuthorizationEndpointBase.APP_INITIATED_FLOW);
         if (flowPath == null) {
             flowPath = AUTHENTICATE_PATH;
@@ -249,6 +253,7 @@ public Response restartSession(@QueryParam(AUTH_SESSION_ID) String authSessionId
 
         URI redirectUri = getLastExecutionUrl(flowPath, null, authSession.getClient().getClientId(), authSession.getTabId());
         logger.debugf("Flow restart requested. Redirecting to %s", redirectUri);
+        event.success();
         return Response.status(Response.Status.FOUND).location(redirectUri).build();
     }
 

services/src/main/java/org/keycloak/services/resources/SessionCodeChecks.java

@@ -150,6 +150,7 @@ public AuthenticationSessionModel initialVerifyAuthSession() {
         }
         if (client != null) {
             session.getContext().setClient(client);
+            setClientToEvent(client);
         }
 
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/LoginTest.java

@@ -774,7 +774,7 @@ public void loginExpiredCode() {
         Assert.assertEquals("Your login attempt timed out. Login will start from the beginning.", loginPage.getError());
         setTimeOffset(0);
 
-        events.expectLogin().client((String) null).user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails()
+        events.expectLogin().user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails()
                 .assertEvent();
     }
 
@@ -794,7 +794,6 @@ public void loginExpiredCodeWithExplicitRemoveExpired() {
 
         events.expectLogin().user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails()
                 .detail(Details.RESTART_AFTER_TIMEOUT, "true")
-                .client((String) null)
                 .assertEvent();
     }
 
@@ -851,7 +850,6 @@ public void loginWithDisabledCookies() {
 
         events.expect(EventType.LOGIN_ERROR)
                 .user(new UserRepresentation())
-                .client(new ClientRepresentation())
                 .error(Errors.COOKIE_NOT_FOUND)
                 .assertEvent();
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/MultiFactorAuthenticationTest.java

@@ -33,9 +33,12 @@
 import org.keycloak.authentication.authenticators.browser.UsernameFormFactory;
 import org.keycloak.authentication.authenticators.browser.WebAuthnAuthenticatorFactory;
 import org.keycloak.events.Details;
+import org.keycloak.events.EventType;
 import org.keycloak.models.AuthenticationExecutionModel;
 import org.keycloak.models.utils.TimeBasedOTP;
+import org.keycloak.protocol.oidc.OIDCLoginProtocol;
 import org.keycloak.representations.idm.RealmRepresentation;
+import org.keycloak.representations.idm.UserRepresentation;
 import org.keycloak.testsuite.AbstractTestRealmKeycloakTest;
 import org.keycloak.testsuite.AssertEvents;
 import org.keycloak.testsuite.client.KeycloakTestingClient;
@@ -285,6 +288,7 @@ public void testAlternativeMechanismsInDifferentSubflows_firstMechanismUnavailab
     @Test
     public void testUsernameLabelAndResetLogin() {
         try {
+            UserRepresentation user = testRealm().users().search("user-with-one-configured-otp").get(0);
             configureBrowserFlowWithAlternativeCredentials();
 
             // The "attempted username" with username not yet available on the login screen
@@ -306,6 +310,12 @@ public void testUsernameLabelAndResetLogin() {
 
             // Reset login
             selectAuthenticatorPage.clickResetLogin();
+            events.expect(EventType.RESTART_AUTHENTICATION)
+                    .client(oauth.getClientId())
+                    .user(user.getId())
+                    .detail(Details.USERNAME, "user-with-one-configured-otp")
+                    .detail(Details.AUTH_METHOD, OIDCLoginProtocol.LOGIN_PROTOCOL)
+                    .assertEvent();
 
             // Should be back on the login page
             loginUsernameOnlyPage.assertCurrent();
@@ -321,7 +331,7 @@ public void testUsernameLabelAndResetLogin() {
 
             // Login
             passwordPage.login("password");
-            events.expectLogin().user(testRealm().users().search("user-with-one-configured-otp").get(0).getId())
+            events.expectLogin().user(user.getId())
                     .detail(Details.USERNAME, "[email protected]").assertEvent();
         } finally {
             BrowserFlowTest.revertFlows(testRealm(), "browser - alternative");

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/forms/RestartCookieTest.java

@@ -192,7 +192,6 @@ public void testRestartCookieBackwardsCompatible_Keycloak25() throws IOException
 
         events.expectLogin().user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails()
                 .detail(Details.RESTART_AFTER_TIMEOUT, "true")
-                .client((String) null)
                 .assertEvent();
     }
 
@@ -232,7 +231,6 @@ public void testRestartCookieBackwardsCompatible_Keycloak19() throws IOException
 
         events.expectLogin().user((String) null).session((String) null).error(Errors.EXPIRED_CODE).clearDetails()
                 .detail(Details.RESTART_AFTER_TIMEOUT, "true")
-                .client((String) null)
                 .assertEvent();
     }
 }