feat(jans-auth-server): introduced new 'prepareAuthzRequest' method i…

…n authorization challenge script #10588 Signed-off-by: YuriyZ <[email protected]>
JanssenProject · Jan 13, 2025 · c1c6d5c · c1c6d5c
1 parent 856f9fe
commit c1c6d5c
Show file tree

Hide file tree

Showing 6 changed files with 84 additions and 1 deletion.
diff --git a/docs/script-catalog/authorization_challenge/AuthorizationChallenge.java b/docs/script-catalog/authorization_challenge/AuthorizationChallenge.java
@@ -221,4 +221,19 @@ public int getApiVersion() {
     public Map<String, String> getAuthenticationMethodClaims(Object context) {
         return new HashMap<>();
     }
+
+    @Override
+    public void prepareAuthzRequest(Object scriptContext) {
+        ExternalScriptContext context = (ExternalScriptContext) scriptContext;
+        final AuthorizationChallengeSession sessionObject = context.getAuthzRequest().getAuthorizationChallengeSessionObject();
+        if (sessionObject != null) {
+            final Map<String, String> sessionAttributes = sessionObject.getAttributes().getAttributes();
+
+            // set scope from session into request object
+            final String scopeFromSession = sessionAttributes.get("scope");
+            if (StringUtils.isNotBlank(scopeFromSession) && StringUtils.isBlank(context.getAuthzRequest().getScope())) {
+                context.getAuthzRequest().setScope(scopeFromSession);
+            }
+        }
+    }
 }
diff --git a/docs/script-catalog/authorization_challenge/multi_step/AuthorizationChallenge.java b/docs/script-catalog/authorization_challenge/multi_step/AuthorizationChallenge.java
@@ -196,4 +196,19 @@ public int getApiVersion() {
     public Map<String, String> getAuthenticationMethodClaims(Object context) {
         return new HashMap<>();
     }
+
+    @Override
+    public void prepareAuthzRequest(Object scriptContext) {
+        ExternalScriptContext context = (ExternalScriptContext) scriptContext;
+        final AuthorizationChallengeSession sessionObject = context.getAuthzRequest().getAuthorizationChallengeSessionObject();
+        if (sessionObject != null) {
+            final Map<String, String> sessionAttributes = sessionObject.getAttributes().getAttributes();
+
+            // set scope from session into request object
+            final String scopeFromSession = sessionAttributes.get("scope");
+            if (StringUtils.isNotBlank(scopeFromSession) && StringUtils.isBlank(context.getAuthzRequest().getScope())) {
+                context.getAuthzRequest().setScope(scopeFromSession);
+            }
+        }
+    }
 }
diff --git a/...server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java b/...server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java
@@ -114,6 +114,8 @@ public Response requestAuthorization(AuthzRequest authzRequest) {
     public void prepareAuthzRequest(AuthzRequest authzRequest) {
         authzRequest.setScope(ServerUtil.urlDecode(authzRequest.getScope()));
 
+        externalAuthorizationChallengeService.externalPrepareAuthzRequest(authzRequest);
+
         if (StringUtils.isNotBlank(authzRequest.getAuthorizationChallengeSession())) {
             final AuthorizationChallengeSession session = authorizationChallengeSessionService.getAuthorizationChallengeSession(authzRequest.getAuthorizationChallengeSession());
 
@@ -158,7 +160,7 @@ public Response authorize(AuthzRequest authzRequest) throws IOException, TokenBi
         executionContext.setSessionId(sessionUser);
 
         if (user == null) {
-            log.trace("Executing external authentication challenge");
+            log.trace("Executing external authentication challenge ... (requestedScopes: {})", scopes);
 
             final boolean ok = externalAuthorizationChallengeService.externalAuthorize(executionContext);
             if (!ok) {
@@ -179,6 +181,8 @@ public Response authorize(AuthzRequest authzRequest) throws IOException, TokenBi
 
         String grantAcr = executionContext.getScript() != null ? executionContext.getScript().getName() : authzRequest.getAcrValues();
 
+        log.trace("Creating authorization code grant with: scope {}, acr {}", scopes, grantAcr);
+
         AuthorizationCodeGrant authorizationGrant = authorizationGrantList.createAuthorizationCodeGrant(user, client, new Date());
         authorizationGrant.setNonce(authzRequest.getNonce());
         authorizationGrant.setJwtAuthorizationRequest(authzRequest.getJwtRequest());

diff --git a/...c/main/java/io/jans/as/server/service/external/ExternalAuthorizationChallengeService.java b/...c/main/java/io/jans/as/server/service/external/ExternalAuthorizationChallengeService.java
@@ -3,6 +3,7 @@
 import io.jans.as.model.authorize.AuthorizeErrorResponseType;
 import io.jans.as.model.configuration.AppConfiguration;
 import io.jans.as.model.error.ErrorResponseFactory;
+import io.jans.as.server.authorize.ws.rs.AuthzRequest;
 import io.jans.as.server.model.common.ExecutionContext;
 import io.jans.as.server.service.external.context.ExternalScriptContext;
 import io.jans.model.custom.script.CustomScriptType;
@@ -134,4 +135,45 @@ public CustomScriptConfiguration identifyScript(List<String> acrValues) {
         log.trace("Unable to find script by acr_values {}", acrValues);
         return getCustomScriptConfigurationByName(appConfiguration.getAuthorizationChallengeDefaultAcr());
     }
+
+    public void externalPrepareAuthzRequest(AuthzRequest authzRequest) {
+        final List<String> acrValues = authzRequest.getAcrValuesList();
+        final CustomScriptConfiguration script = identifyScript(acrValues);
+        if (script == null) {
+            String msg = String.format("Unable to identify script by acr_values %s.", acrValues);
+            log.debug(msg);
+            throw new WebApplicationException(errorResponseFactory
+                    .newErrorResponse(Response.Status.BAD_REQUEST)
+                    .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.INVALID_REQUEST, authzRequest.getState(), msg))
+                    .build());
+        }
+
+        log.trace("Executing python 'prepareAuthzRequest' method, script name: {}, clientId: {}, scope: {}, authorizationChallengeSession: {}",
+                script.getName(), authzRequest.getClientId(), authzRequest.getScope(), authzRequest.getAuthorizationChallengeSession());
+
+        ExecutionContext executionContext = ExecutionContext.of(authzRequest);
+        executionContext.setScript(script);
+
+        try {
+            AuthorizationChallengeType authorizationChallengeType = (AuthorizationChallengeType) script.getExternalType();
+            final ExternalScriptContext scriptContext = new ExternalScriptContext(executionContext);
+            authorizationChallengeType.prepareAuthzRequest(scriptContext);
+
+            scriptContext.throwWebApplicationExceptionIfSet();
+        } catch (WebApplicationException e) {
+            if (log.isTraceEnabled()) {
+                log.trace("WebApplicationException from script", e);
+            }
+            throw e;
+        } catch (Exception ex) {
+            log.error(ex.getMessage(), ex);
+            saveScriptError(script.getCustomScript(), ex);
+            throw new WebApplicationException(errorResponseFactory
+                    .newErrorResponse(Response.Status.INTERNAL_SERVER_ERROR)
+                    .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, executionContext.getAuthzRequest().getState(), "Unable to run 'prepareAuthzRequest' method authorization challenge script."))
+                    .build());
+        }
+
+        log.trace("Finished 'prepareAuthzRequest' method, script name: {}, clientId: {}", script.getName(), executionContext.getAuthzRequest().getClientId());
+    }
 }
diff --git a/...main/java/io/jans/model/custom/script/type/authzchallenge/AuthorizationChallengeType.java b/...main/java/io/jans/model/custom/script/type/authzchallenge/AuthorizationChallengeType.java
@@ -12,4 +12,7 @@ public interface AuthorizationChallengeType extends BaseExternalType {
     boolean authorize(Object context);
 
     Map<String, String> getAuthenticationMethodClaims(Object context);
+
+    // prepare authzRequest - AuthzRequest class
+    void prepareAuthzRequest(Object context);
 }
diff --git a/...java/io/jans/model/custom/script/type/authzchallenge/DummyAuthorizationChallengeType.java b/...java/io/jans/model/custom/script/type/authzchallenge/DummyAuthorizationChallengeType.java
@@ -21,6 +21,10 @@ public Map<String, String> getAuthenticationMethodClaims(Object context) {
         return new HashMap<>();
     }
 
+    @Override
+    public void prepareAuthzRequest(Object context) {
+    }
+
     @Override
     public boolean init(Map<String, SimpleCustomProperty> configurationAttributes) {
         return false;