From aed3413c9121181acdfa6984aa59f87e0b4510aa Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Fri, 5 Jun 2026 11:10:09 -0700
Subject: [PATCH 1/4] Service-side reauthentication infrastructure

---
 .../labkey/api/action/SimpleErrorView.java    |   2 -
 .../security/AuthenticationConfiguration.java |   1 +
 .../api/security/AuthenticationManager.java   |  51 +++++++++
 .../api/security/AuthenticationProvider.java  |  12 +++
 .../org/labkey/api/security/LoginUrls.java    |   1 +
 .../labkey/core/login/LoginController.java    | 102 +++++++++++++-----
 .../org/labkey/devtools/TestController.java   |  36 +++++++
 .../authentication/TestSsoConfiguration.java  |   7 ++
 .../org/labkey/devtools/view/testReauth.jsp   |  76 +++++++++++++
 9 files changed, 260 insertions(+), 28 deletions(-)
 create mode 100644 devtools/src/org/labkey/devtools/view/testReauth.jsp

diff --git a/api/src/org/labkey/api/action/SimpleErrorView.java b/api/src/org/labkey/api/action/SimpleErrorView.java
index b7f58fcd742..b50c5cea200 100644
--- a/api/src/org/labkey/api/action/SimpleErrorView.java
+++ b/api/src/org/labkey/api/action/SimpleErrorView.java
@@ -23,8 +23,6 @@
 
 /**
  * View that renders an error collection.
- * User: adam
- * Date: Sep 26, 2007
  */
 public class SimpleErrorView extends JspView<Boolean>
 {
diff --git a/api/src/org/labkey/api/security/AuthenticationConfiguration.java b/api/src/org/labkey/api/security/AuthenticationConfiguration.java
index 9cc866d7432..d308e98c9da 100644
--- a/api/src/org/labkey/api/security/AuthenticationConfiguration.java
+++ b/api/src/org/labkey/api/security/AuthenticationConfiguration.java
@@ -114,6 +114,7 @@ interface SSOAuthenticationConfiguration<AP extends SSOAuthenticationProvider<?>
     {
         LinkFactory getLinkFactory();
         URLHelper getUrl(ViewContext ctx);
+        URLHelper getReauthUrl(ViewContext ctx);
 
         /**
          * Allows an SSO auth configuration to specify that it should be used automatically instead of showing the standard
diff --git a/api/src/org/labkey/api/security/AuthenticationManager.java b/api/src/org/labkey/api/security/AuthenticationManager.java
index c6051d89850..3a5c1d509bb 100644
--- a/api/src/org/labkey/api/security/AuthenticationManager.java
+++ b/api/src/org/labkey/api/security/AuthenticationManager.java
@@ -86,6 +86,7 @@
 import org.labkey.api.usageMetrics.UsageMetricsService;
 import org.labkey.api.util.DateUtil;
 import org.labkey.api.util.ExceptionUtil;
+import org.labkey.api.util.GUID;
 import org.labkey.api.util.HeartBeat;
 import org.labkey.api.util.HtmlString;
 import org.labkey.api.util.HtmlStringBuilder;
@@ -549,7 +550,12 @@ public static abstract class BaseSsoValidateAction<FORM extends AuthenticationCo
         public ModelAndView getView(FORM form, BindException errors) throws Exception
         {
             AuthenticationResponse response = validateAuthentication(form, errors);
+            return response.isReauth() ? getReauthView(response, errors) : getAuthView(response, errors);
+        }
 
+        // Normal primary authentication case
+        private ModelAndView getAuthView(AuthenticationResponse response, BindException errors)
+        {
             // Show validation error(s), if any
             if (errors.hasErrors() || !response.isAuthenticated())
             {
@@ -586,6 +592,44 @@ public ModelAndView getView(FORM form, BindException errors) throws Exception
             return new SimpleErrorView(errors, false);
         }
 
+        // Reauthentication case for electronic signing and other sensitive operations. Check that reauthentication
+        // was successful and re-auth user matches session user. Not currently verifying that the same authentication
+        // configuration was used to reauthenticate.
+        private ModelAndView getReauthView(AuthenticationResponse response, BindException errors)
+        {
+            @Nullable User reauthUser = UserManager.getUser(response.getValidEmail());
+
+            String errorMessage = null;
+
+            if (!response.isAuthenticated())
+            {
+                errorMessage = errors.hasErrors() ? errors.getMessage() : "Reauthentication failed";
+            }
+            else if (!getUser().equals(reauthUser))
+            {
+                errorMessage = "Reauthentication failed: wrong user reauthenticated";
+            }
+
+            LoginReturnProperties properties = getLoginReturnProperties(getViewContext().getRequestOrThrow());
+
+            // We lost the return URL. Could happen on local session timeout.
+            if (properties == null)
+                throw new NotFoundException("Reauthentication failed");
+
+            URLHelper url = properties.getReturnUrl();
+
+            if (errorMessage != null)
+            {
+                url.addParameter("errorMessage", errorMessage);
+            }
+            else
+            {
+                AuthenticationManager.setReauthUser(reauthUser, getViewContext().getRequestOrThrow(), url);
+            }
+
+            throw new RedirectException(url);
+        }
+
         @Override
         protected String getCommandClassMethodName()
         {
@@ -1770,6 +1814,13 @@ public static URLHelper getWelcomeURL()
     public record Reauth(String token, User user){}
     public static final String REAUTH_TOKEN_NAME = "reauthToken";
 
+    public static void setReauthUser(User user, HttpServletRequest request, URLHelper redirectUrl)
+    {
+        String reauthToken = GUID.makeHash();
+        redirectUrl.addParameter(REAUTH_TOKEN_NAME, reauthToken);
+        request.getSession().setAttribute(REAUTH_TOKEN_NAME, new Reauth(reauthToken, user));
+    }
+
     public static @Nullable User getAndClearReauthUser(HttpServletRequest request, @Nullable String token)
     {
         if (token != null)
diff --git a/api/src/org/labkey/api/security/AuthenticationProvider.java b/api/src/org/labkey/api/security/AuthenticationProvider.java
index c59c66f6b4c..b293a5ddf02 100644
--- a/api/src/org/labkey/api/security/AuthenticationProvider.java
+++ b/api/src/org/labkey/api/security/AuthenticationProvider.java
@@ -307,6 +307,7 @@ class AuthenticationResponse
         private @NotNull Map<String, String> _userAttributeMap = Collections.emptyMap();  // A case-insensitive map of attribute names and values associated with the user
         private @NotNull Map<String, Object> _authenticationProperties = Collections.emptyMap();
         private boolean _requireSecondary = true;                                         // Require secondary authentication
+        private boolean _reauth = false;
         private @Nullable String _successDetails = null;                                  // An optional string describing how successful authentication took place, which will
                                                                                           // appear in the audit log. If null, the configuration's description will be used.
 
@@ -447,6 +448,17 @@ public AuthenticationResponse setRequireSecondary(boolean requireSecondary)
             _requireSecondary = requireSecondary;
             return this;
         }
+
+        public boolean isReauth()
+        {
+            return _reauth;
+        }
+
+        public AuthenticationResponse setReauth(boolean reauth)
+        {
+            _reauth = reauth;
+            return this;
+        }
     }
 
     // FailureReasons are only reported to administrators (in the audit log and/or server log), NOT to users (and potential
diff --git a/api/src/org/labkey/api/security/LoginUrls.java b/api/src/org/labkey/api/security/LoginUrls.java
index 856ffb05afe..52bc43b6d4f 100644
--- a/api/src/org/labkey/api/security/LoginUrls.java
+++ b/api/src/org/labkey/api/security/LoginUrls.java
@@ -41,4 +41,5 @@ public interface LoginUrls extends UrlProvider
     ActionURL getStopImpersonatingURL(Container c, @Nullable URLHelper returnUrl);
     ActionURL getAgreeToTermsURL(Container c, URLHelper returnUrl);
     ActionURL getSSORedirectURL(SSOAuthenticationConfiguration<?> configuration, URLHelper returnUrl, boolean skipProfile);
+    ActionURL getSSOReauthURL(SSOAuthenticationConfiguration<?> configuration, URLHelper returnUrl);
 }
diff --git a/core/src/org/labkey/core/login/LoginController.java b/core/src/org/labkey/core/login/LoginController.java
index 5e1e40e98d5..a3ddd86fa12 100644
--- a/core/src/org/labkey/core/login/LoginController.java
+++ b/core/src/org/labkey/core/login/LoginController.java
@@ -25,6 +25,7 @@
 import org.apache.logging.log4j.Logger;
 import org.jetbrains.annotations.Nullable;
 import org.json.JSONArray;
+import org.json.JSONObject;
 import org.labkey.api.action.ApiResponse;
 import org.labkey.api.action.ApiSimpleResponse;
 import org.labkey.api.action.ApiUsageException;
@@ -52,6 +53,7 @@
 import org.labkey.api.security.ActionNames;
 import org.labkey.api.security.AdminConsoleAction;
 import org.labkey.api.security.AuthenticationConfiguration.LoginFormAuthenticationConfiguration;
+import org.labkey.api.security.AuthenticationConfiguration.PrimaryAuthenticationConfiguration;
 import org.labkey.api.security.AuthenticationConfiguration.SSOAuthenticationConfiguration;
 import org.labkey.api.security.AuthenticationConfiguration.SecondaryAuthenticationConfiguration;
 import org.labkey.api.security.AuthenticationConfigurationCache;
@@ -72,6 +74,7 @@
 import org.labkey.api.security.MutableSecurityPolicy;
 import org.labkey.api.security.PasswordExpiration;
 import org.labkey.api.security.PasswordRule;
+import org.labkey.api.security.RequiresLogin;
 import org.labkey.api.security.RequiresNoPermission;
 import org.labkey.api.security.RequiresPermission;
 import org.labkey.api.security.SecurityManager;
@@ -115,6 +118,7 @@
 import org.labkey.api.view.RedirectException;
 import org.labkey.api.view.UnsafeExternalRedirectException;
 import org.labkey.api.view.VBox;
+import org.labkey.api.view.ViewContext;
 import org.labkey.api.view.WebPartView;
 import org.labkey.api.view.template.PageConfig;
 import org.labkey.api.wiki.WikiRendererType;
@@ -301,12 +305,24 @@ public ActionURL getAgreeToTermsURL(Container c, URLHelper returnUrl)
         @Override
         public ActionURL getSSORedirectURL(SSOAuthenticationConfiguration<?> configuration, URLHelper returnUrl, boolean skipProfile)
         {
-            ActionURL url = new ActionURL(SsoRedirectAction.class, ContainerManager.getRoot());
-            url.addParameter("configuration", configuration.getRowId());
+            ActionURL url = getRedirectURL(SsoRedirectAction.class, configuration, returnUrl);
             if (skipProfile)
             {
                 url.addParameter("skipProfile", 1);
             }
+            return url;
+        }
+
+        @Override
+        public ActionURL getSSOReauthURL(SSOAuthenticationConfiguration<?> configuration, URLHelper returnUrl)
+        {
+            return getRedirectURL(SsoReauthAction.class, configuration, returnUrl);
+        }
+
+        private ActionURL getRedirectURL(Class<? extends Controller> redirectActionClass, SSOAuthenticationConfiguration<?> configuration, @Nullable URLHelper returnUrl)
+        {
+            ActionURL url = new ActionURL(redirectActionClass, ContainerManager.getRoot());
+            url.addParameter("configuration", configuration.getRowId());
             if (null != returnUrl)
             {
                 String fragment = returnUrl.getFragment();
@@ -707,9 +723,7 @@ else if (form.getTermsOfUseType() == TermsOfUseType.SITE_WIDE)
 
                 if (form.isForceReauth())
                 {
-                    String reauthToken = GUID.makeHash();
-                    redirectUrl.addParameter(REAUTH_TOKEN_NAME, reauthToken);
-                    request.getSession().setAttribute(REAUTH_TOKEN_NAME, new Reauth(reauthToken, user));
+                    AuthenticationManager.setReauthUser(user, request, redirectUrl);
                 }
 
                 // Use the full hostname in the URL if we have one, otherwise just go with a local URI
@@ -1539,20 +1553,8 @@ public Object execute(ReturnUrlForm form, BindException errors)
 
     public static class SsoRedirectForm extends AbstractLoginForm
     {
-        private String _provider;
         private int _configuration;
 
-        public String getProvider()
-        {
-            return _provider;
-        }
-
-        @SuppressWarnings("unused")
-        public void setProvider(String provider)
-        {
-            _provider = provider;
-        }
-
         public int getConfiguration()
         {
             return _configuration;
@@ -1565,18 +1567,13 @@ public void setConfiguration(int configuration)
         }
     }
 
-    @RequiresNoPermission
-    @AllowedDuringUpgrade
-    // Always invoked in the root, so no need to ignore locked projects
-    public static class SsoRedirectAction extends SimpleViewAction<SsoRedirectForm>
+    private static abstract class BaseSsoRedirectAction extends SimpleViewAction<SsoRedirectForm>
     {
+        protected abstract URLHelper getUrl(SSOAuthenticationConfiguration<?> configuration, ViewContext context);
+
         @Override
         public ModelAndView getView(SsoRedirectForm form, BindException errors)
         {
-            // If logged in then redirect immediately
-            if (!getUser().isGuest())
-                return HttpView.redirect(form.getReturnActionURL(AppProps.getInstance().getHomePageActionURL()));
-
             // If we have a returnUrl or skipProfile param then create and stash LoginReturnProperties
             URLHelper returnUrl = form.getReturnUrlHelper();
             if (null != returnUrl || form.getSkipProfile())
@@ -1592,7 +1589,7 @@ public ModelAndView getView(SsoRedirectForm form, BindException errors)
             if (null == configuration)
                 throw new NotFoundException("Authentication configuration is not valid");
 
-            url = configuration.getUrl(getViewContext());
+            url = getUrl(configuration, getViewContext());
 
             // It's safe to bypass checking the external redirect allow list in this case because we are redirecting to
             // the administrator-provided URL from the SSO authentication configuration.
@@ -1605,6 +1602,59 @@ public final void addNavTrail(NavTree root)
         }
     }
 
+    @RequiresNoPermission
+    @AllowedDuringUpgrade
+    // Always invoked in the root, so no need to ignore locked projects
+    public static class SsoRedirectAction extends BaseSsoRedirectAction
+    {
+        @Override
+        public ModelAndView getView(SsoRedirectForm form, BindException errors)
+        {
+            // If logged in then redirect immediately
+            if (!getUser().isGuest())
+                return HttpView.redirect(form.getReturnActionURL(AppProps.getInstance().getHomePageActionURL()));
+
+            return super.getView(form, errors);
+        }
+
+        @Override
+        protected URLHelper getUrl(SSOAuthenticationConfiguration<?> configuration, ViewContext context)
+        {
+            return configuration.getUrl(context);
+        }
+    }
+
+    // Very similar to SsoRedirectAction, but needs different annotations, so we have two separate classes
+    @RequiresLogin
+    public static class SsoReauthAction extends BaseSsoRedirectAction
+    {
+        @Override
+        protected URLHelper getUrl(SSOAuthenticationConfiguration<?> configuration, ViewContext context)
+        {
+            return configuration.getReauthUrl(context);
+        }
+    }
+
+    @SuppressWarnings("unused") // Called from client code
+    @RequiresLogin
+    public static class GetAuthenticationConfigurationAction extends ReadOnlyApiAction<ReturnUrlForm>
+    {
+        @Override
+        public Object execute(ReturnUrlForm form, BindException errors)
+        {
+            PrimaryAuthenticationConfiguration<?> configuration = AuthenticationManager.getConfiguration(getViewContext().getSession());
+            if (configuration == null)
+            {
+                throw new RuntimeException("No configuration found");
+            }
+            JSONObject resp = new JSONObject();
+            resp.put("description", configuration.getDescription());
+            if (configuration instanceof SSOAuthenticationConfiguration<?> sso)
+                resp.put("reauthUrl", urlProvider(LoginUrls.class).getSSOReauthURL(sso, form.getReturnActionURL()));
+            return success(resp);
+        }
+    }
+
     public static final String PASSWORD1_TEXT_FIELD_NAME = "password";
     public static final String PASSWORD2_TEXT_FIELD_NAME = "password2";
 
diff --git a/devtools/src/org/labkey/devtools/TestController.java b/devtools/src/org/labkey/devtools/TestController.java
index 1240c01fb0e..c78d22976cd 100644
--- a/devtools/src/org/labkey/devtools/TestController.java
+++ b/devtools/src/org/labkey/devtools/TestController.java
@@ -19,6 +19,7 @@
 import jakarta.servlet.http.HttpServletResponse;
 import org.apache.logging.log4j.Logger;
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 import org.junit.Assert;
 import org.junit.Test;
 import org.labkey.api.action.ApiResponse;
@@ -1492,4 +1493,39 @@ public void testJacksonInputLimitExceeded() throws Exception
         }
     }
 
+    public record ReauthForm(@Nullable String reauthToken, @Nullable String errorMessage){}
+
+    @RequiresLogin
+    public static class TestReauthAction extends FormViewAction<ReauthForm>
+    {
+        @Override
+        public void validateCommand(ReauthForm form, Errors errors)
+        {
+        }
+
+        @Override
+        public ModelAndView getView(ReauthForm form, boolean reshow, BindException errors)
+        {
+            getPageConfig().setTemplate(PageConfig.Template.Dialog);
+            return new JspView<>("/org/labkey/devtools/view/testReauth.jsp", form, errors);
+        }
+
+        @Override
+        public boolean handlePost(ReauthForm form, BindException errors)
+        {
+            // TODO: Validate the reauthToken here - push into errors
+            return false;
+        }
+
+        @Override
+        public URLHelper getSuccessURL(ReauthForm form)
+        {
+            return null;
+        }
+
+        @Override
+        public void addNavTrail(NavTree root)
+        {
+        }
+    }
 }
diff --git a/devtools/src/org/labkey/devtools/authentication/TestSsoConfiguration.java b/devtools/src/org/labkey/devtools/authentication/TestSsoConfiguration.java
index 34da73011d4..48d777e6ef0 100644
--- a/devtools/src/org/labkey/devtools/authentication/TestSsoConfiguration.java
+++ b/devtools/src/org/labkey/devtools/authentication/TestSsoConfiguration.java
@@ -15,6 +15,7 @@
  */
 package org.labkey.devtools.authentication;
 
+import org.apache.commons.lang3.NotImplementedException;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 import org.labkey.api.data.ContainerManager;
@@ -53,6 +54,12 @@ public URLHelper getUrl(ViewContext ctx)
         return url;
     }
 
+    @Override
+    public URLHelper getReauthUrl(ViewContext ctx)
+    {
+        throw new NotImplementedException();
+    }
+
     @Override
     public LinkFactory getLinkFactory()
     {
diff --git a/devtools/src/org/labkey/devtools/view/testReauth.jsp b/devtools/src/org/labkey/devtools/view/testReauth.jsp
new file mode 100644
index 00000000000..29342cb52fa
--- /dev/null
+++ b/devtools/src/org/labkey/devtools/view/testReauth.jsp
@@ -0,0 +1,76 @@
+<%
+/*
+ * Copyright (c) 2014-2026 LabKey Corporation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+%>
+<%@ page import="org.labkey.api.view.ActionURL" %>
+<%@ page import="org.labkey.api.view.HttpView" %>
+<%@ page import="org.labkey.api.view.JspView" %>
+<%@ page import="org.labkey.devtools.TestController.ReauthForm" %>
+<%@ page import="org.labkey.devtools.TestController.TestReauthAction" %>
+<%@ taglib prefix="labkey" uri="http://www.labkey.org/taglib" %>
+<%@ page extends="org.labkey.api.jsp.JspBase" %>
+<%
+    JspView<ReauthForm> me = HttpView.currentView();
+    ReauthForm form = me.getModelBean();
+    ActionURL formURL = urlFor(TestReauthAction.class);
+%>
+<script type="text/javascript" nonce="<%=getScriptNonce()%>">
+    LABKEY.Utils.onReady(function() {
+        LABKEY.Ajax.request({
+            url: LABKEY.ActionURL.buildURL('login', 'getAuthenticationConfiguration.api'),
+            params: {
+                returnUrl: window.location.href,
+            },
+            success: function(response) {
+                const needReauth = <%=form.reauthToken() == null%>;
+                const data = JSON.parse(response.responseText).data;
+                document.getElementById("description").textContent = data.description;
+                if (needReauth && data.reauthUrl) {
+                    const link = document.getElementById("link");
+                    link.href = data.reauthUrl;
+                    link.style.display = "inline";
+                }
+            },
+            failure: function() {
+                alert('Failed to retrieve configuration!');
+            }
+        });
+    });
+</script>
+
+You authenticated with: <span id="description"></span><br/>
+
+<%
+    if (form.reauthToken() != null)
+    {
+%>
+Looks like you successfully re-authenticated and received token: <%=h(form.reauthToken())%>
+<%
+    }
+    else if (form.errorMessage() != null)
+    {
+%>
+Looks like your reauthentication failed: <%=h(form.errorMessage())%>. Try again?
+<%
+    }
+    else
+    {
+%>
+Looks like you need to re-authenticate.
+<%
+    }
+%>
+<a style="display: none;" id="link" href="">Click here</a>

From c5e76d87c5309fb64469312641bb96c1e8a6f41c Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Fri, 5 Jun 2026 11:44:22 -0700
Subject: [PATCH 2/4] Validate reauthToken to complete flow

---
 devtools/src/org/labkey/devtools/TestController.java | 12 ++++++++----
 devtools/src/org/labkey/devtools/view/testReauth.jsp |  8 ++++++--
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/devtools/src/org/labkey/devtools/TestController.java b/devtools/src/org/labkey/devtools/TestController.java
index c78d22976cd..caaad89d161 100644
--- a/devtools/src/org/labkey/devtools/TestController.java
+++ b/devtools/src/org/labkey/devtools/TestController.java
@@ -41,12 +41,14 @@
 import org.labkey.api.mcp.AbstractAgentAction;
 import org.labkey.api.mcp.McpService;
 import org.labkey.api.security.AdminConsoleAction;
+import org.labkey.api.security.AuthenticationManager;
 import org.labkey.api.security.CSRF;
 import org.labkey.api.security.MethodsAllowed;
 import org.labkey.api.security.RequiresLogin;
 import org.labkey.api.security.RequiresNoPermission;
 import org.labkey.api.security.RequiresPermission;
 import org.labkey.api.security.RequiresSiteAdmin;
+import org.labkey.api.security.User;
 import org.labkey.api.security.permissions.AdminOperationsPermission;
 import org.labkey.api.security.permissions.AdminPermission;
 import org.labkey.api.security.permissions.DeletePermission;
@@ -1496,7 +1498,7 @@ public void testJacksonInputLimitExceeded() throws Exception
     public record ReauthForm(@Nullable String reauthToken, @Nullable String errorMessage){}
 
     @RequiresLogin
-    public static class TestReauthAction extends FormViewAction<ReauthForm>
+    public class TestReauthAction extends FormViewAction<ReauthForm>
     {
         @Override
         public void validateCommand(ReauthForm form, Errors errors)
@@ -1513,14 +1515,16 @@ public ModelAndView getView(ReauthForm form, boolean reshow, BindException error
         @Override
         public boolean handlePost(ReauthForm form, BindException errors)
         {
-            // TODO: Validate the reauthToken here - push into errors
-            return false;
+            User reauthUser = AuthenticationManager.getAndClearReauthUser(getViewContext().getRequestOrThrow(), form.reauthToken());
+            if (reauthUser == null)
+                throw new NotFoundException("Reauthentication validation failed!");
+            return true;
         }
 
         @Override
         public URLHelper getSuccessURL(ReauthForm form)
         {
-            return null;
+            return actionURL(BeginAction.class);
         }
 
         @Override
diff --git a/devtools/src/org/labkey/devtools/view/testReauth.jsp b/devtools/src/org/labkey/devtools/view/testReauth.jsp
index 29342cb52fa..15e51bff28c 100644
--- a/devtools/src/org/labkey/devtools/view/testReauth.jsp
+++ b/devtools/src/org/labkey/devtools/view/testReauth.jsp
@@ -25,7 +25,6 @@
 <%
     JspView<ReauthForm> me = HttpView.currentView();
     ReauthForm form = me.getModelBean();
-    ActionURL formURL = urlFor(TestReauthAction.class);
 %>
 <script type="text/javascript" nonce="<%=getScriptNonce()%>">
     LABKEY.Utils.onReady(function() {
@@ -57,7 +56,12 @@ You authenticated with: <span id="description"></span><br/>
     if (form.reauthToken() != null)
     {
 %>
-Looks like you successfully re-authenticated and received token: <%=h(form.reauthToken())%>
+Looks like you successfully re-authenticated and received token: <%=h(form.reauthToken())%><br/>
+
+<labkey:form method="POST">
+    <input type="hidden" name="reauthToken" value="<%=h(form.reauthToken())%>">
+    <input class="labkey-button primary" type="submit" value="Sign!">
+</labkey:form>
 <%
     }
     else if (form.errorMessage() != null)

From 4b4cb014cdf27ff50fe3f60b46d38c70a52712a9 Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Sun, 7 Jun 2026 07:39:24 -0700
Subject: [PATCH 3/4] Support local re-auth via login page for DB/LDAP. Push
 more validation into setReauthUser(). Distinguish between login page doing
 local re-auth vs. CAS IdP.

---
 .../api/security/AuthenticationManager.java   | 51 +++++++++++--------
 .../org/labkey/api/security/LoginUrls.java    |  2 +-
 .../labkey/core/login/LoginController.java    | 38 ++++++++++----
 core/webapp/login.js                          |  3 +-
 .../org/labkey/devtools/TestController.java   |  2 +-
 .../org/labkey/devtools/view/testReauth.jsp   | 31 +++++------
 6 files changed, 79 insertions(+), 48 deletions(-)

diff --git a/api/src/org/labkey/api/security/AuthenticationManager.java b/api/src/org/labkey/api/security/AuthenticationManager.java
index 3a5c1d509bb..7515b5b31d7 100644
--- a/api/src/org/labkey/api/security/AuthenticationManager.java
+++ b/api/src/org/labkey/api/security/AuthenticationManager.java
@@ -597,18 +597,12 @@ private ModelAndView getAuthView(AuthenticationResponse response, BindException
         // configuration was used to reauthenticate.
         private ModelAndView getReauthView(AuthenticationResponse response, BindException errors)
         {
-            @Nullable User reauthUser = UserManager.getUser(response.getValidEmail());
-
             String errorMessage = null;
 
             if (!response.isAuthenticated())
             {
                 errorMessage = errors.hasErrors() ? errors.getMessage() : "Reauthentication failed";
             }
-            else if (!getUser().equals(reauthUser))
-            {
-                errorMessage = "Reauthentication failed: wrong user reauthenticated";
-            }
 
             LoginReturnProperties properties = getLoginReturnProperties(getViewContext().getRequestOrThrow());
 
@@ -617,15 +611,9 @@ else if (!getUser().equals(reauthUser))
                 throw new NotFoundException("Reauthentication failed");
 
             URLHelper url = properties.getReturnUrl();
+            @Nullable User reauthUser = UserManager.getUser(response.getValidEmail());
 
-            if (errorMessage != null)
-            {
-                url.addParameter("errorMessage", errorMessage);
-            }
-            else
-            {
-                AuthenticationManager.setReauthUser(reauthUser, getViewContext().getRequestOrThrow(), url);
-            }
+            AuthenticationManager.setReauthUser(reauthUser, getUser(), getViewContext().getRequestOrThrow(), errorMessage, url);
 
             throw new RedirectException(url);
         }
@@ -1813,15 +1801,35 @@ public static URLHelper getWelcomeURL()
 
     public record Reauth(String token, User user){}
     public static final String REAUTH_TOKEN_NAME = "reauthToken";
+    public static final String ERROR_MESSAGE = "errorMessage";
 
-    public static void setReauthUser(User user, HttpServletRequest request, URLHelper redirectUrl)
+    /**
+     * @param reauthUser   Re-auth user to stash in session with the re-auth token
+     * @param sessionUser  If not null, validate that this user and reauthUser are the same
+     * @param request      Request from which to retrieve the session
+     * @param errorMessage Pre-existing error message to add to the URL
+     * @param redirectUrl  URL to which the token (on success) or error message (on failure) gets added
+     */
+    public static void setReauthUser(User reauthUser, @Nullable User sessionUser, HttpServletRequest request, @Nullable String errorMessage, URLHelper redirectUrl)
     {
-        String reauthToken = GUID.makeHash();
-        redirectUrl.addParameter(REAUTH_TOKEN_NAME, reauthToken);
-        request.getSession().setAttribute(REAUTH_TOKEN_NAME, new Reauth(reauthToken, user));
+        if (errorMessage == null && sessionUser != null && !sessionUser.equals(reauthUser))
+        {
+            errorMessage = "Reauthentication failed: wrong user reauthenticated";
+        }
+
+        if (errorMessage != null)
+        {
+            redirectUrl.addParameter(ERROR_MESSAGE, errorMessage);
+        }
+        else
+        {
+            String reauthToken = GUID.makeHash();
+            redirectUrl.addParameter(REAUTH_TOKEN_NAME, reauthToken);
+            request.getSession().setAttribute(REAUTH_TOKEN_NAME, new Reauth(reauthToken, reauthUser));
+        }
     }
 
-    public static @Nullable User getAndClearReauthUser(HttpServletRequest request, @Nullable String token)
+    public static @Nullable User getAndClearReauthUser(HttpServletRequest request, @Nullable String token, @Nullable User sessionUser)
     {
         if (token != null)
         {
@@ -1838,7 +1846,10 @@ public static void setReauthUser(User user, HttpServletRequest request, URLHelpe
                     if (matches)
                     {
                         session.removeAttribute(REAUTH_TOKEN_NAME);
-                        return reauth.user();
+                        User reauthUser = reauth.user();
+
+                        if (sessionUser == null || sessionUser.equals(reauthUser))
+                            return reauthUser;
                     }
                 }
             }
diff --git a/api/src/org/labkey/api/security/LoginUrls.java b/api/src/org/labkey/api/security/LoginUrls.java
index 52bc43b6d4f..b1739d85432 100644
--- a/api/src/org/labkey/api/security/LoginUrls.java
+++ b/api/src/org/labkey/api/security/LoginUrls.java
@@ -35,7 +35,7 @@ public interface LoginUrls extends UrlProvider
     ActionURL getLoginURL(URLHelper returnUrl);
     ActionURL getRegisterURL(Container c, @Nullable URLHelper returnUrl);
     ActionURL getLoginURL(Container c, @Nullable URLHelper returnUrl);
-    ActionURL getForceReauthURL(Container c, @Nullable URLHelper returnUrl);
+    ActionURL getForceReauthURL(Container c, boolean local, @Nullable URLHelper returnUrl);
     ActionURL getLogoutURL(Container c);
     ActionURL getLogoutURL(Container c, URLHelper returnUrl);
     ActionURL getStopImpersonatingURL(Container c, @Nullable URLHelper returnUrl);
diff --git a/core/src/org/labkey/core/login/LoginController.java b/core/src/org/labkey/core/login/LoginController.java
index a3ddd86fa12..3c63e9fcd2d 100644
--- a/core/src/org/labkey/core/login/LoginController.java
+++ b/core/src/org/labkey/core/login/LoginController.java
@@ -62,7 +62,6 @@
 import org.labkey.api.security.AuthenticationManager.AuthenticationStatus;
 import org.labkey.api.security.AuthenticationManager.LoginReturnProperties;
 import org.labkey.api.security.AuthenticationManager.PrimaryAuthenticationResult;
-import org.labkey.api.security.AuthenticationManager.Reauth;
 import org.labkey.api.security.AuthenticationProvider;
 import org.labkey.api.security.AuthenticationProvider.SSOAuthenticationProvider;
 import org.labkey.api.security.CSRF;
@@ -96,7 +95,6 @@
 import org.labkey.api.settings.WriteableLookAndFeelProperties;
 import org.labkey.api.util.CSRFUtil;
 import org.labkey.api.util.ConfigurationException;
-import org.labkey.api.util.GUID;
 import org.labkey.api.util.HelpTopic;
 import org.labkey.api.util.HtmlString;
 import org.labkey.api.util.MailHelper;
@@ -145,7 +143,6 @@
 import static org.labkey.api.security.AuthenticationManager.LOGIN_ATTEMPT_LIMIT_KEY;
 import static org.labkey.api.security.AuthenticationManager.LOGIN_ATTEMPT_PERIOD_KEY;
 import static org.labkey.api.security.AuthenticationManager.LOGIN_ATTEMPT_RESET_TIME_KEY;
-import static org.labkey.api.security.AuthenticationManager.REAUTH_TOKEN_NAME;
 import static org.labkey.api.security.AuthenticationManager.SELF_REGISTRATION_KEY;
 import static org.labkey.api.security.AuthenticationManager.SELF_SERVICE_EMAIL_CHANGES_KEY;
 
@@ -252,10 +249,16 @@ public ActionURL getLoginURL(Container c, @Nullable URLHelper returnUrl)
         }
 
         @Override
-        public ActionURL getForceReauthURL(Container c, @Nullable URLHelper returnUrl)
+        public ActionURL getForceReauthURL(Container c, boolean local, @Nullable URLHelper returnUrl)
         {
-            return getLoginURL(c, returnUrl)
+            ActionURL url = getLoginURL(c, returnUrl)
                 .addParameter("forceReauth", true);
+
+            // Customizes re-auth behavior for the local login page case (vs. CAS IdP case)
+            if (local)
+                url.addParameter("local", true);
+
+            return url;
         }
 
         @Override
@@ -666,7 +669,7 @@ public class LoginApiAction extends MutatingApiAction<LoginForm>
         @Override
         public Object execute(LoginForm form, BindException errors)
         {
-            HttpServletRequest request = getViewContext().getRequest();
+            HttpServletRequest request = getViewContext().getRequestOrThrow();
 
             // Store passed in returnUrl and skipProfile param at the start of the login so we can redirect to it after
             // any password resets, secondary logins, profile updates, etc. have finished
@@ -723,7 +726,7 @@ else if (form.getTermsOfUseType() == TermsOfUseType.SITE_WIDE)
 
                 if (form.isForceReauth())
                 {
-                    AuthenticationManager.setReauthUser(user, request, redirectUrl);
+                    AuthenticationManager.setReauthUser(user, form.isLocal() ? getUser() : null, request, null, redirectUrl);
                 }
 
                 // Use the full hostname in the URL if we have one, otherwise just go with a local URI
@@ -1402,7 +1405,8 @@ public static class LoginForm extends AgreeToTermsForm
         private String email;
         private String password;
         private String provider;
-        private boolean forceReauth = false;
+        private boolean forceReauth = false;     // If true, require valid credentials even if logged in
+        private boolean local = false;           // If true, require on re-auth that current session user matches re-auth user
 
         public String getProvider()
         {
@@ -1447,6 +1451,17 @@ public void setForceReauth(boolean forceReauth)
         {
             this.forceReauth = forceReauth;
         }
+
+        public boolean isLocal()
+        {
+            return local;
+        }
+
+        @SuppressWarnings("unused")
+        public void setLocal(boolean local)
+        {
+            this.local = local;
+        }
     }
 
     @RequiresNoPermission
@@ -1649,8 +1664,11 @@ public Object execute(ReturnUrlForm form, BindException errors)
             }
             JSONObject resp = new JSONObject();
             resp.put("description", configuration.getDescription());
-            if (configuration instanceof SSOAuthenticationConfiguration<?> sso)
-                resp.put("reauthUrl", urlProvider(LoginUrls.class).getSSOReauthURL(sso, form.getReturnActionURL()));
+            LoginUrls urls = urlProvider(LoginUrls.class);
+            ActionURL reauthUrl = configuration instanceof SSOAuthenticationConfiguration<?> sso ?
+                urls.getSSOReauthURL(sso, form.getReturnActionURL()) :
+                urls.getForceReauthURL(getContainer(), true, form.getReturnActionURL());
+            resp.put("reauthUrl", reauthUrl.getLocalURIString());
             return success(resp);
         }
     }
diff --git a/core/webapp/login.js b/core/webapp/login.js
index e2534ede023..a40073b8fb9 100644
--- a/core/webapp/login.js
+++ b/core/webapp/login.js
@@ -44,7 +44,8 @@
                 returnUrl: returnUrlElement && returnUrlElement.value ? returnUrlElement.value : LABKEY.ActionURL.getParameter("returnUrl"),
                 skipProfile: LABKEY.ActionURL.getParameter("skipProfile") || 0,
                 urlhash: document.getElementById('urlhash').value,
-                forceReauth: LABKEY.ActionURL.getParameter("forceReauth") || false
+                forceReauth: LABKEY.ActionURL.getParameter("forceReauth") || false,
+                local: LABKEY.ActionURL.getParameter("local") || false
             },
             success: LABKEY.Utils.getCallbackWrapper(function(response) {
                 setSubmitting(false, [{msg: ''}]);
diff --git a/devtools/src/org/labkey/devtools/TestController.java b/devtools/src/org/labkey/devtools/TestController.java
index caaad89d161..6c49f6572c5 100644
--- a/devtools/src/org/labkey/devtools/TestController.java
+++ b/devtools/src/org/labkey/devtools/TestController.java
@@ -1515,7 +1515,7 @@ public ModelAndView getView(ReauthForm form, boolean reshow, BindException error
         @Override
         public boolean handlePost(ReauthForm form, BindException errors)
         {
-            User reauthUser = AuthenticationManager.getAndClearReauthUser(getViewContext().getRequestOrThrow(), form.reauthToken());
+            User reauthUser = AuthenticationManager.getAndClearReauthUser(getViewContext().getRequestOrThrow(), form.reauthToken(), getUser());
             if (reauthUser == null)
                 throw new NotFoundException("Reauthentication validation failed!");
             return true;
diff --git a/devtools/src/org/labkey/devtools/view/testReauth.jsp b/devtools/src/org/labkey/devtools/view/testReauth.jsp
index 15e51bff28c..7262bcdbce7 100644
--- a/devtools/src/org/labkey/devtools/view/testReauth.jsp
+++ b/devtools/src/org/labkey/devtools/view/testReauth.jsp
@@ -1,6 +1,6 @@
 <%
 /*
- * Copyright (c) 2014-2026 LabKey Corporation
+ * Copyright (c) 2026 LabKey Corporation
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -15,11 +15,9 @@
  * limitations under the License.
  */
 %>
-<%@ page import="org.labkey.api.view.ActionURL" %>
 <%@ page import="org.labkey.api.view.HttpView" %>
 <%@ page import="org.labkey.api.view.JspView" %>
 <%@ page import="org.labkey.devtools.TestController.ReauthForm" %>
-<%@ page import="org.labkey.devtools.TestController.TestReauthAction" %>
 <%@ taglib prefix="labkey" uri="http://www.labkey.org/taglib" %>
 <%@ page extends="org.labkey.api.jsp.JspBase" %>
 <%
@@ -31,16 +29,14 @@
         LABKEY.Ajax.request({
             url: LABKEY.ActionURL.buildURL('login', 'getAuthenticationConfiguration.api'),
             params: {
-                returnUrl: window.location.href,
+                returnUrl: LABKEY.ActionURL.buildURL('test', 'testReauth.view'),
             },
             success: function(response) {
                 const needReauth = <%=form.reauthToken() == null%>;
                 const data = JSON.parse(response.responseText).data;
                 document.getElementById("description").textContent = data.description;
-                if (needReauth && data.reauthUrl) {
-                    const link = document.getElementById("link");
-                    link.href = data.reauthUrl;
-                    link.style.display = "inline";
+                if (needReauth) {
+                    document.getElementById("link").href = data.reauthUrl;
                 }
             },
             failure: function() {
@@ -58,23 +54,28 @@ You authenticated with: <span id="description"></span><br/>
 %>
 Looks like you successfully re-authenticated and received token: <%=h(form.reauthToken())%><br/>
 
-<labkey:form method="POST">
+<labkey:form method="post">
     <input type="hidden" name="reauthToken" value="<%=h(form.reauthToken())%>">
     <input class="labkey-button primary" type="submit" value="Sign!">
 </labkey:form>
 <%
     }
-    else if (form.errorMessage() != null)
+    else
     {
+        if (form.errorMessage() != null)
+        {
 %>
 Looks like your reauthentication failed: <%=h(form.errorMessage())%>. Try again?
 <%
-    }
-    else
-    {
+        }
+        else
+        {
+%>
+You need to re-authenticate.
+<%
+        }
 %>
-Looks like you need to re-authenticate.
+        <a id="link" href="">Click here</a>
 <%
     }
 %>
-<a style="display: none;" id="link" href="">Click here</a>

From 978e369497d7589aa6387080af0532eaa23cb49b Mon Sep 17 00:00:00 2001
From: Adam Rauch <adam@labkey.com>
Date: Mon, 8 Jun 2026 16:29:55 -0700
Subject: [PATCH 4/4] Add TestSSO re-auth support

---
 .../authentication/TestSsoConfiguration.java   |  6 +++---
 .../authentication/TestSsoController.java      | 18 +++++++++++++++---
 .../labkey/devtools/authentication/testSso.jsp | 13 +++++++------
 3 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/devtools/src/org/labkey/devtools/authentication/TestSsoConfiguration.java b/devtools/src/org/labkey/devtools/authentication/TestSsoConfiguration.java
index 48d777e6ef0..fb0314f1def 100644
--- a/devtools/src/org/labkey/devtools/authentication/TestSsoConfiguration.java
+++ b/devtools/src/org/labkey/devtools/authentication/TestSsoConfiguration.java
@@ -46,7 +46,7 @@ protected TestSsoConfiguration(TestSsoProvider provider, Map<String, Object> sta
     }
 
     @Override
-    public URLHelper getUrl(ViewContext ctx)
+    public ActionURL getUrl(ViewContext ctx)
     {
         ActionURL url = new ActionURL(TestSsoController.TestSsoAction.class, ContainerManager.getRoot());
         url.addParameter("configuration", getRowId());
@@ -55,9 +55,9 @@ public URLHelper getUrl(ViewContext ctx)
     }
 
     @Override
-    public URLHelper getReauthUrl(ViewContext ctx)
+    public ActionURL getReauthUrl(ViewContext ctx)
     {
-        throw new NotImplementedException();
+        return getUrl(ctx).addParameter("reauth", true);
     }
 
     @Override
diff --git a/devtools/src/org/labkey/devtools/authentication/TestSsoController.java b/devtools/src/org/labkey/devtools/authentication/TestSsoController.java
index 06290a5abcd..1017fc879a5 100644
--- a/devtools/src/org/labkey/devtools/authentication/TestSsoController.java
+++ b/devtools/src/org/labkey/devtools/authentication/TestSsoController.java
@@ -50,10 +50,10 @@ public TestSsoController()
 
     @RequiresNoPermission
     @AllowedDuringUpgrade
-    public static class TestSsoAction extends SimpleViewAction<AuthenticationConfigurationForm>
+    public static class TestSsoAction extends SimpleViewAction<TestSsoForm>
     {
         @Override
-        public ModelAndView getView(AuthenticationConfigurationForm form, BindException errors)
+        public ModelAndView getView(TestSsoForm form, BindException errors)
         {
             getPageConfig().setTemplate(PageConfig.Template.Dialog);
             return new JspView<>("/org/labkey/devtools/authentication/testSso.jsp", form, errors);
@@ -68,6 +68,7 @@ public void addNavTrail(NavTree root)
     public static class TestSsoForm extends AuthenticationConfigurationForm
     {
         private String _email;
+        private boolean _reauth;
 
         public String getEmail()
         {
@@ -79,6 +80,17 @@ public void setEmail(String email)
         {
             _email = email;
         }
+
+        public boolean isReauth()
+        {
+            return _reauth;
+        }
+
+        @SuppressWarnings("unused")
+        public void setReauth(boolean reauth)
+        {
+            _reauth = reauth;
+        }
     }
 
     @AllowedDuringUpgrade
@@ -94,7 +106,7 @@ public static class ValidateAction extends BaseSsoValidateAction<TestSsoForm>
             if (null == configuration)
                 throw new NotFoundException("Invalid TestSso configuration");
 
-            return AuthenticationResponse.success(configuration, new ValidEmail(form.getEmail()));
+            return AuthenticationResponse.success(configuration, new ValidEmail(form.getEmail())).setReauth(form.isReauth());
         }
     }
 
diff --git a/devtools/src/org/labkey/devtools/authentication/testSso.jsp b/devtools/src/org/labkey/devtools/authentication/testSso.jsp
index 246ced97d51..68020d24668 100644
--- a/devtools/src/org/labkey/devtools/authentication/testSso.jsp
+++ b/devtools/src/org/labkey/devtools/authentication/testSso.jsp
@@ -15,21 +15,22 @@
  * limitations under the License.
  */
 %>
-<%@ page import="org.labkey.api.security.AuthenticationManager.AuthenticationConfigurationForm" %>
 <%@ page import="org.labkey.api.view.HttpView" %>
 <%@ page import="org.labkey.api.view.JspView" %>
+<%@ page import="org.labkey.devtools.authentication.TestSsoController.TestSsoForm" %>
 <%@ page import="org.labkey.devtools.authentication.TestSsoController.ValidateAction" %>
 <%@ page extends="org.labkey.api.jsp.JspBase" %>
 <%@ taglib prefix="labkey" uri="http://www.labkey.org/taglib" %>
 <%
-    JspView<AuthenticationConfigurationForm> me = HttpView.currentView();
-    AuthenticationConfigurationForm form = me.getModelBean();
+    JspView<TestSsoForm> me = HttpView.currentView();
+    TestSsoForm form = me.getModelBean();
 %>
 <labkey:form action="<%=urlFor(ValidateAction.class)%>" method="post" layout="horizontal">
     <input type="hidden" name="configuration" value="<%=form.getConfiguration()%>">
+    <input type="hidden" name="reauth" value="<%=form.isReauth()%>">
     <labkey:input type="text" name="email" value="" size="50"
-                  label="SSO Test Authentication"
-                  contextContent="Type an email address below to \"authenticate\" as that user."
+        label="SSO Test Authentication"
+        contextContent="Type an email address below to \"authenticate\" as that user."
     />
-    <%= button("Authenticate").submit(true) %>
+    <%= button(form.isReauth() ? "Reauthenticate" : "Authenticate").submit(true) %>
 </labkey:form>
\ No newline at end of file