fix(jans-auth-server): second authorization challenge call does not i…

…nvoke the right script #10745 (#10746) Signed-off-by: YuriyZ <[email protected]>
JanssenProject · Jan 27, 2025 · 3ba585c · 3ba585c
1 parent 27faefc
commit 3ba585c
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 5 deletions.
diff --git a/docs/script-catalog/authorization_challenge/AgamaChallenge.java b/docs/script-catalog/authorization_challenge/AgamaChallenge.java
@@ -178,6 +178,9 @@ public boolean authorize(Object scriptContext) {
             deviceSessionObjectAttrs.put("scope", servletRequest.getParameter("scope"));
 
             deviceSessionService.persist(deviceSessionObject);
+
+            authRequest.setAuthorizationChallengeSessionObject(deviceSessionObject);
+            authRequest.setAuthorizationChallengeSession(deviceSessionObject.getId());
 
         } else {
             sessionId = deviceSessionObject.getId();

diff --git a/docs/script-catalog/authorization_challenge/AuthorizationChallenge.java b/docs/script-catalog/authorization_challenge/AuthorizationChallenge.java
@@ -130,6 +130,8 @@ private AuthorizationChallengeSession prepareAuthorizationChallengeSession(Exter
         boolean newSave = authorizationChallengeSessionObject == null;
         if (newSave) {
             authorizationChallengeSessionObject = authorizationChallengeSessionService.newAuthorizationChallengeSession();
+            context.getAuthzRequest().setAuthorizationChallengeSessionObject(authorizationChallengeSessionObject);
+            context.getAuthzRequest().setAuthorizationChallengeSession(authorizationChallengeSessionObject.getId());
         }
 
         final String dpop = context.getHttpRequest().getHeader(DpopService.DPOP);

diff --git a/docs/script-catalog/authorization_challenge/multi_step/AuthorizationChallenge.java b/docs/script-catalog/authorization_challenge/multi_step/AuthorizationChallenge.java
@@ -130,6 +130,8 @@ private AuthorizationChallengeSession prepareAuthorizationChallengeSession(Exter
         boolean newSave = sessionObject == null;
         if (newSave) {
             sessionObject = authorizationChallengeSessionService.newAuthorizationChallengeSession();
+            context.getAuthzRequest().setAuthorizationChallengeSessionObject(authorizationChallengeSessionObject);
+            context.getAuthzRequest().setAuthorizationChallengeSession(authorizationChallengeSessionObject.getId());
         }
 
         String username = context.getHttpRequest().getParameter(USERNAME_PARAMETER);

diff --git a/...server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java b/...server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java
@@ -114,20 +114,21 @@ public Response requestAuthorization(AuthzRequest authzRequest) {
     public void prepareAuthzRequest(AuthzRequest authzRequest) {
         authzRequest.setScope(ServerUtil.urlDecode(authzRequest.getScope()));
 
-        externalAuthorizationChallengeService.externalPrepareAuthzRequest(authzRequest);
-
+        log.trace("prepareAuthzRequest - authorization challenge session {}", authzRequest.getAuthorizationChallengeSession());
         if (StringUtils.isNotBlank(authzRequest.getAuthorizationChallengeSession())) {
             final AuthorizationChallengeSession session = authorizationChallengeSessionService.getAuthorizationChallengeSession(authzRequest.getAuthorizationChallengeSession());
 
             authorizationChallengeValidator.validateDpopJkt(session, authzRequest.getDpop());
 
             authzRequest.setAuthorizationChallengeSessionObject(session);
             if (session != null) {
+                log.trace("prepareAuthzRequest - sessionAttributes {}, id {}", session.getAttributes().getAttributes(), session.getId());
                 final Map<String, String> attributes = session.getAttributes().getAttributes();
 
                 final String clientId = attributes.get("client_id");
                 if (StringUtils.isNotBlank(clientId) && StringUtils.isBlank(authzRequest.getClientId())) {
                     authzRequest.setClientId(clientId);
+                    log.trace("prepareAuthzRequest - Set client_id {} from session", clientId);
                 }
 
                 String acrValues = session.getAttributes().getAcrValues();
@@ -136,9 +137,20 @@ public void prepareAuthzRequest(AuthzRequest authzRequest) {
                 }
                 if (StringUtils.isNotBlank(acrValues) && StringUtils.isBlank(authzRequest.getAcrValues())) {
                     authzRequest.setAcrValues(acrValues);
+                    log.trace("prepareAuthzRequest - Set acr_values {} from session", acrValues);
+                }
+
+                final String scope = attributes.get("scope");
+                if (StringUtils.isNotBlank(scope) && StringUtils.isBlank(authzRequest.getScope())) {
+                    authzRequest.setScope(scope);
+                    log.trace("prepareAuthzRequest - Set scope {} from session", scope);
                 }
+            } else {
+                log.debug("Unable to find authorization challenge session by id {}", authzRequest.getAuthorizationChallengeSession());
             }
         }
+
+        externalAuthorizationChallengeService.externalPrepareAuthzRequest(authzRequest);
     }
 
     public Response authorize(AuthzRequest authzRequest) throws IOException, TokenBindingParseException {

diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthzRequest.java b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthzRequest.java
@@ -109,6 +109,10 @@ public AuthorizationChallengeSession getAuthorizationChallengeSessionObject() {
         return authorizationChallengeSessionObject;
     }
 
+    public Map<String, String> getAuthorizationChallengeSessionAttributesSafely() {
+        return authorizationChallengeSessionObject != null ? authorizationChallengeSessionObject.getAttributes().getAttributes() : new HashMap<>();
+    }
+
     public void setAuthorizationChallengeSessionObject(AuthorizationChallengeSession authorizationChallengeSessionObject) {
         this.authorizationChallengeSessionObject = authorizationChallengeSessionObject;
     }

diff --git a/...c/main/java/io/jans/as/server/service/external/ExternalAuthorizationChallengeService.java b/...c/main/java/io/jans/as/server/service/external/ExternalAuthorizationChallengeService.java
@@ -1,5 +1,6 @@
 package io.jans.as.server.service.external;
 
+import io.jans.as.common.model.session.AuthorizationChallengeSession;
 import io.jans.as.model.authorize.AuthorizeErrorResponseType;
 import io.jans.as.model.configuration.AppConfiguration;
 import io.jans.as.model.error.ErrorResponseFactory;
@@ -9,11 +10,13 @@
 import io.jans.model.custom.script.CustomScriptType;
 import io.jans.model.custom.script.conf.CustomScriptConfiguration;
 import io.jans.model.custom.script.type.authzchallenge.AuthorizationChallengeType;
+import io.jans.orm.PersistenceEntryManager;
 import io.jans.service.custom.script.ExternalScriptService;
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.inject.Inject;
 import jakarta.ws.rs.WebApplicationException;
 import jakarta.ws.rs.core.Response;
+import org.apache.commons.lang3.ArrayUtils;
 
 import java.util.HashMap;
 import java.util.List;
@@ -33,6 +36,9 @@ public class ExternalAuthorizationChallengeService extends ExternalScriptService
     @Inject
     private transient ErrorResponseFactory errorResponseFactory;
 
+    @Inject
+    private transient PersistenceEntryManager persistenceEntryManager;
+
     public ExternalAuthorizationChallengeService() {
         super(CustomScriptType.AUTHORIZATION_CHALLENGE);
     }
@@ -95,6 +101,7 @@ public boolean externalAuthorize(ExecutionContext executionContext) {
             AuthorizationChallengeType authorizationChallengeType = (AuthorizationChallengeType) script.getExternalType();
             final ExternalScriptContext scriptContext = new ExternalScriptContext(executionContext);
             result = authorizationChallengeType.authorize(scriptContext);
+            saveRequestParametersInSession(scriptContext);
 
             scriptContext.throwWebApplicationExceptionIfSet();
         } catch (WebApplicationException e) {
@@ -116,6 +123,35 @@ public boolean externalAuthorize(ExecutionContext executionContext) {
         return result;
     }
 
+    private void saveRequestParametersInSession(ExternalScriptContext scriptContext) {
+        final AuthzRequest authzRequest = scriptContext.getAuthzRequest();
+        final AuthorizationChallengeSession session = authzRequest.getAuthorizationChallengeSessionObject();
+        if (session == null) {
+            log.trace("Authorization challenge session is not found.");
+            return;
+        }
+
+        final Map<String, String> attributes = session.getAttributes().getAttributes();
+        final Map<String, String[]> parameterMap = scriptContext.getHttpRequest().getParameterMap();
+        if (parameterMap == null || parameterMap.isEmpty()) {
+            return;
+        }
+
+        for (Map.Entry<String, String[]> entry : parameterMap.entrySet()) {
+            if (!attributes.containsKey(entry.getKey()) && ArrayUtils.isNotEmpty(entry.getValue())) {
+                final String value = entry.getValue()[0];
+                attributes.put(entry.getKey(), value);
+                log.trace("Put in session request parameter: {}, value: {}", entry.getKey(), value);
+            }
+        }
+
+        try {
+            persistenceEntryManager.merge(session);
+        } catch (Exception e) {
+            log.error("Failed to save authorization challenge session: " + session.getId(), e);
+        }
+    }
+
     public CustomScriptConfiguration identifyScript(List<String> acrValues) {
         log.trace("Identifying script, acr_values: {}", acrValues);
 
@@ -148,8 +184,8 @@ public void externalPrepareAuthzRequest(AuthzRequest authzRequest) {
                     .build());
         }
 
-        log.trace("Executing python 'prepareAuthzRequest' method, script name: {}, clientId: {}, scope: {}, authorizationChallengeSession: {}",
-                script.getName(), authzRequest.getClientId(), authzRequest.getScope(), authzRequest.getAuthorizationChallengeSession());
+        log.trace("Executing python 'prepareAuthzRequest' method, script name: {}, clientId: {}, scope: {}, authorizationChallengeSession: {}, sessionAttributes: {}",
+                script.getName(), authzRequest.getClientId(), authzRequest.getScope(), authzRequest.getAuthorizationChallengeSessionAttributesSafely());
 
         ExecutionContext executionContext = ExecutionContext.of(authzRequest);
         executionContext.setScript(script);
@@ -174,6 +210,6 @@ public void externalPrepareAuthzRequest(AuthzRequest authzRequest) {
                     .build());
         }
 
-        log.trace("Finished 'prepareAuthzRequest' method, script name: {}, clientId: {}", script.getName(), executionContext.getAuthzRequest().getClientId());
+        log.trace("Finished 'prepareAuthzRequest' method, script name: {}, clientId: {}, sessionAttributes: {}", script.getName(), executionContext.getAuthzRequest().getClientId(), authzRequest.getAuthorizationChallengeSessionAttributesSafely());
     }
 }