fix(jans-auth-server): challenge endpoint returns 400 if authorize th…

…rows an unexpected exception (#10553) #10553 Signed-off-by: YuriyZ <[email protected]>
JanssenProject · Jan 7, 2025 · 02c3df7 · 02c3df7
1 parent 5952018
commit 02c3df7
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 7 deletions.
diff --git a/...server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java b/...server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java
@@ -164,8 +164,8 @@ public Response authorize(AuthzRequest authzRequest) throws IOException, TokenBi
             if (!ok) {
                 log.debug("Not allowed by authorization challenge script, client_id {}.", client.getClientId());
                 throw new WebApplicationException(errorResponseFactory
-                        .newErrorResponse(Response.Status.BAD_REQUEST)
-                        .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, state, "No allowed by authorization challenge script."))
+                        .newErrorResponse(Response.Status.UNAUTHORIZED)
+                        .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, state, "Not allowed by authorization challenge script."))
                         .build());
             }
 

diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/CacheGrant.java b/jans-auth-server/server/src/main/java/io/jans/as/server/model/common/CacheGrant.java
@@ -43,6 +43,7 @@ public class CacheGrant implements Serializable {
     private String acrValues;
     private String sessionDn;
     private int expiresIn = 1;
+    private boolean isAuthorizationChallenge;
 
     // CIBA
     private String authReqId;
@@ -73,6 +74,7 @@ public CacheGrant(AuthorizationGrant grant, AppConfiguration appConfiguration) {
         codeChallengeMethod = grant.getCodeChallengeMethod();
         claims = grant.getClaims();
         sessionDn = grant.getSessionDn();
+        isAuthorizationChallenge = grant.isAuthorizationChallenge();
     }
 
     public CacheGrant(CIBAGrant grant, AppConfiguration appConfiguration) {
@@ -263,6 +265,7 @@ public AuthorizationCodeGrant asCodeGrant(Instance<AbstractAuthorizationGrant> g
         grant.setAcrValues(acrValues);
         grant.setNonce(nonce);
         grant.setClaims(claims);
+        grant.setAuthorizationChallenge(isAuthorizationChallenge);
 
         return grant;
     }
@@ -335,11 +338,12 @@ public String getDeviceCode() {
 
     @Override
     public String toString() {
-        return "MemcachedGrant{" +
+        return "CacheGrant{" +
                 "authorizationCode=" + authorizationCodeString +
                 ", user=" + user +
                 ", client=" + client +
                 ", authenticationTime=" + authenticationTime +
+                ", isAuthorizationChallenge=" + isAuthorizationChallenge +
                 '}';
     }
 }
diff --git a/...c/main/java/io/jans/as/server/service/external/ExternalAuthorizationChallengeService.java b/...c/main/java/io/jans/as/server/service/external/ExternalAuthorizationChallengeService.java
@@ -104,6 +104,10 @@ public boolean externalAuthorize(ExecutionContext executionContext) {
         } catch (Exception ex) {
             log.error(ex.getMessage(), ex);
             saveScriptError(script.getCustomScript(), ex);
+            throw new WebApplicationException(errorResponseFactory
+                    .newErrorResponse(Response.Status.INTERNAL_SERVER_ERROR)
+                    .entity(errorResponseFactory.getErrorAsJson(AuthorizeErrorResponseType.ACCESS_DENIED, executionContext.getAuthzRequest().getState(), "Unable to run authorization challenge script."))
+                    .build());
         }
 
         log.trace("Finished 'authorize' method, script name: {}, clientId: {}, result: {}", script.getName(), executionContext.getAuthzRequest().getClientId(), result);

diff --git a/jans-linux-setup/jans_setup/templates/scripts.ldif b/jans-linux-setup/jans_setup/templates/scripts.ldif
@@ -532,7 +532,7 @@ jansEnabled: FALSE
 jansLevel: 1
 jansModuleProperty: {"value1":"location_type","value2":"db","description":""}
 jansProgLng: java
-jansRevision: 11
+jansRevision: 1
 jansScr::%(discovery_discovery)s
 jansScrTyp: discovery
 
@@ -546,7 +546,7 @@ jansEnabled: true
 jansLevel: 1
 jansModuleProperty: {"value1":"location_type","value2":"db","description":""}
 jansProgLng: java
-jansRevision: 11
+jansRevision: 1
 jansScr::%(authz_detail_authzdetail)s
 jansScrTyp: authz_detail
 
@@ -560,7 +560,7 @@ jansEnabled: true
 jansLevel: 1
 jansModuleProperty: {"value1":"location_type","value2":"db","description":""}
 jansProgLng: java
-jansRevision: 11
+jansRevision: 1
 jansScr::%(authorization_challenge_authorizationchallenge)s
 jansScrTyp: authorization_challenge
 
@@ -574,7 +574,7 @@ jansEnabled: true
 jansLevel: 1
 jansModuleProperty: {"value1":"location_type","value2":"db","description":""}
 jansProgLng: java
-jansRevision: 11
+jansRevision: 1
 jansScr::%(access_evaluation_accessevaluation)s
 jansScrTyp: access_evaluation