From fffce801d45daa5070b64e3daf69f6efa41e3b96 Mon Sep 17 00:00:00 2001 From: YuriyZ Date: Tue, 7 Jan 2025 13:53:25 +0200 Subject: [PATCH] fix(jans-auth-server): challenge endpoint returns 400 if authorize throws an unexpected exception https://github.com/JanssenProject/jans/issues/10553 Signed-off-by: YuriyZ --- .../authorize/ws/rs/AuthorizationChallengeService.java | 4 ++-- .../java/io/jans/as/server/model/common/CacheGrant.java | 6 +++++- .../external/ExternalAuthorizationChallengeService.java | 4 ++++ jans-linux-setup/jans_setup/templates/scripts.ldif | 8 ++++---- 4 files changed, 15 insertions(+), 7 deletions(-) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java index e6543f948e4..2cc8ece3184 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java @@ -164,8 +164,8 @@ public Response authorize(AuthzRequest authzRequest) throws IOException, TokenBi if (!ok) { log.debug("Not allowed by authorization challenge script, client_id {}.", client.getClientId()); throw new WebApplicationException(errorResponseFactory - .newErrorResponse(Response.Status.BAD_REQUEST) - .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, state, "No allowed by authorization challenge script.")) + .newErrorResponse(Response.Status.UNAUTHORIZED) + .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, state, "Not allowed by authorization challenge script.")) .build()); } diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/CacheGrant.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/CacheGrant.java index b86ef6aa28f..c73914ab508 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/CacheGrant.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/CacheGrant.java @@ -43,6 +43,7 @@ public class CacheGrant implements Serializable { private String acrValues; private String sessionDn; private int expiresIn = 1; + private boolean isAuthorizationChallenge; // CIBA private String authReqId; @@ -73,6 +74,7 @@ public CacheGrant(AuthorizationGrant grant, AppConfiguration appConfiguration) { codeChallengeMethod = grant.getCodeChallengeMethod(); claims = grant.getClaims(); sessionDn = grant.getSessionDn(); + isAuthorizationChallenge = grant.isAuthorizationChallenge(); } public CacheGrant(CIBAGrant grant, AppConfiguration appConfiguration) { @@ -263,6 +265,7 @@ public AuthorizationCodeGrant asCodeGrant(Instance g grant.setAcrValues(acrValues); grant.setNonce(nonce); grant.setClaims(claims); + grant.setAuthorizationChallenge(isAuthorizationChallenge); return grant; } @@ -335,11 +338,12 @@ public String getDeviceCode() { @Override public String toString() { - return "MemcachedGrant{" + + return "CacheGrant{" + "authorizationCode=" + authorizationCodeString + ", user=" + user + ", client=" + client + ", authenticationTime=" + authenticationTime + + ", isAuthorizationChallenge=" + isAuthorizationChallenge + '}'; } } diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalAuthorizationChallengeService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalAuthorizationChallengeService.java index 32d93f7070c..36700006f0e 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalAuthorizationChallengeService.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalAuthorizationChallengeService.java @@ -104,6 +104,10 @@ public boolean externalAuthorize(ExecutionContext executionContext) { } catch (Exception ex) { log.error(ex.getMessage(), ex); saveScriptError(script.getCustomScript(), ex); + throw new WebApplicationException(errorResponseFactory + .newErrorResponse(Response.Status.INTERNAL_SERVER_ERROR) + .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, executionContext.getAuthzRequest().getState(), "Unable to run authorization challenge script.")) + .build()); } log.trace("Finished 'authorize' method, script name: {}, clientId: {}, result: {}", script.getName(), executionContext.getAuthzRequest().getClientId(), result); diff --git a/jans-linux-setup/jans_setup/templates/scripts.ldif b/jans-linux-setup/jans_setup/templates/scripts.ldif index c8c45f9c485..5a4defd2202 100644 --- a/jans-linux-setup/jans_setup/templates/scripts.ldif +++ b/jans-linux-setup/jans_setup/templates/scripts.ldif @@ -532,7 +532,7 @@ jansEnabled: FALSE jansLevel: 1 jansModuleProperty: {"value1":"location_type","value2":"db","description":""} jansProgLng: java -jansRevision: 11 +jansRevision: 1 jansScr::%(discovery_discovery)s jansScrTyp: discovery @@ -546,7 +546,7 @@ jansEnabled: true jansLevel: 1 jansModuleProperty: {"value1":"location_type","value2":"db","description":""} jansProgLng: java -jansRevision: 11 +jansRevision: 1 jansScr::%(authz_detail_authzdetail)s jansScrTyp: authz_detail @@ -560,7 +560,7 @@ jansEnabled: true jansLevel: 1 jansModuleProperty: {"value1":"location_type","value2":"db","description":""} jansProgLng: java -jansRevision: 11 +jansRevision: 1 jansScr::%(authorization_challenge_authorizationchallenge)s jansScrTyp: authorization_challenge @@ -574,7 +574,7 @@ jansEnabled: true jansLevel: 1 jansModuleProperty: {"value1":"location_type","value2":"db","description":""} jansProgLng: java -jansRevision: 11 +jansRevision: 1 jansScr::%(access_evaluation_accessevaluation)s jansScrTyp: access_evaluation