question: about consent mappings for agama

[jgomer2001]

Suppose a sever configured as follows:

Authn method	acr	Implementation	Impl type
HOTP/TOTP	otp	OtpExternalAuthenticator.py	Jython script
Basic	basic	BasicExternalAuthenticator.py	Jython script
SMS	agama_io.jans.authn.sms	io.jans.authn.sms	Agama flow
Passkeys	agama_io.jans.authn.fido2	io.jans.authn.fido2	Agama flow

Consent script	Impl type
ConsentGatheringExample.py	Jython script
agama_io.jans.consent.A	Agama flow
agama_io.jans.consent.B	Agama flow

This server has AgamaBridge.py and AgamaConsentBridge.py to launch authn and consent flows respectively.

Now, assume the following combination of authn/authz is desired:

acr	Consent
otp	ConsentGatheringExample.py
basic	agama_io.jans.consent.A
agama_io.jans.authn.sms	ConsentGatheringExample.py
agama_io.jans.authn.fido2	agama_io.jans.consent.B

According to discussion, with issue #10548 there will be a mapping like:

acr	script
otp	ConsentGatheringExample.py
basic	AgamaConsentBridge.py
agama_io.jans.authn.sms	ConsentGatheringExample.py
agama_io.jans.authn.fido2	AgamaConsentBridge.py

---

Question:

How will AgamaConsentBridge.py determine the specific flow to launch? ie. agama_io.jans.consent.A or agama_io.jans.consent.B ?

[nynymike]

Excellent question!

[yuriyz]

If acr 1 is agama_io.jans.authn.sms and acr 2 is agama_io.jans.authn.fido2 can't we re-use for consent flow same names io.jans.authn.sms instead of io.jans.consent.A and io.jans.authn.fido2 instead of io.jans.consent.B ?
Can we set rule - authentication flow and authorization agama flow names must exactly match ?

- authn
  - io
    -  jans
      - authn
        - fido2
- authz
  - io
    -  jans
      - authn
        - fido2

[jgomer2001]

no, qualified names are identifiers

also, the same agama consent flow can be used for several different acrs. Some of those acrs may not even start with agama_

[yuriyz]

What if we add another configuration property that has mapping acr to consent flow like this

agama_io.jans.authn.sms - io.jans.consent.A
agama_io.jans.authn.fido2 - io.jans.consent.B

Algorithm is :

1. AS got authorization request with acr_values=agama_io.jans.authn.sms
2. io.jans.authn.sms is run
3. AS identifies AgamaConsentBridge.py by configuration and also read another configuration property mapping and sets into session with consent_flow=io.jans.consent.A (it should be possible to load with context.getSessionAttributes().get("consent_flow")).

It means we will need two additional configuration mappings. Thoughts?

[jgomer2001]

I had proposed to set that new mapping in the config properties of AgamaConsentBridge.py:

But having the two mappings in the AS config sounds like it's better organized

[yuriyz]

Great, then agreed. I will add two new configuration properties and will make it available in session.
It will be done as part of #10548

[jgomer2001]

Thanks!