From 8037689598732516c5cc6fa7b75560e5e46a61f6 Mon Sep 17 00:00:00 2001
From: AFaust <axel.faust@acosix.org>
Date: Tue, 18 Feb 2020 01:33:34 +0100
Subject: [PATCH] More flexible 'freshLogin' handling on Bearer token

---
 .../repo/authentication/KeycloakAuthenticationFilter.java    | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakAuthenticationFilter.java b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakAuthenticationFilter.java
index 786956f..911bd49 100644
--- a/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakAuthenticationFilter.java
+++ b/repository/src/main/java/de/acosix/alfresco/keycloak/repo/authentication/KeycloakAuthenticationFilter.java
@@ -665,7 +665,10 @@ public class KeycloakAuthenticationFilter extends BaseAuthenticationFilter
                     LOGGER.trace(
                             "Skipping processKeycloakAuthenticationAndActions as Bearer authorization header for {} has already been processed by remote user mapper",
                             AlfrescoCompatibilityUtil.maskUsername(accessToken.getPreferredUsername()));
-                    this.keycloakAuthenticationComponent.handleUserTokens(accessToken, accessToken, session.isNew());
+                    // cannot rely on session.isNew() to determine if this is a fresh login
+                    // consider "fresh" login if issued in the last second (implicitly include any token refreshes performed client-side)
+                    final boolean isFreshLogin = accessToken.getIssuedAt() * 1000l < (System.currentTimeMillis() - 1000);
+                    this.keycloakAuthenticationComponent.handleUserTokens(accessToken, accessToken, isFreshLogin);
 
                     // sessionUser should be guaranteed here, but still check - we need it for the cache key
                     if (sessionUser != null)