From 3cd5d88af2bf4850779b4107d939b97e1e79624b Mon Sep 17 00:00:00 2001
From: Arnab Dutta <arnab.bdutta@gmail.com>
Date: Thu, 2 Jan 2025 19:14:09 +0530
Subject: [PATCH] =?UTF-8?q?fix:=20update=20token=20script=20(role=5Fbased?=
 =?UTF-8?q?=5Fscopes=5Fupdate=5Ftoken)=20should=20reje=E2=80=A6=20(#10536)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

fix: update token script (role_based_scopes_update_token) should reject the tampered user-info-jwt #10535

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
---
 .../role_based_scopes_update_token.py                 | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/docs/script-catalog/introspection/role-based-scopes-update-token/role_based_scopes_update_token.py b/docs/script-catalog/introspection/role-based-scopes-update-token/role_based_scopes_update_token.py
index 3cc6b527f6b..62b203e8d1d 100644
--- a/docs/script-catalog/introspection/role-based-scopes-update-token/role_based_scopes_update_token.py
+++ b/docs/script-catalog/introspection/role-based-scopes-update-token/role_based_scopes_update_token.py
@@ -17,6 +17,7 @@
 from java.lang import String
 from com.google.common.collect import Sets
 from io.jans.model.custom.script.type.token import UpdateTokenType
+from jakarta.ws.rs import BadRequestException
 
 class UpdateToken(UpdateTokenType):
     def __init__(self, currentTimeMillis):
@@ -103,7 +104,7 @@ def modifyAccessToken(self, accessToken, context):
                             for scope in ele.getPermissions():
                                 if not scope in scopes:
                                     scopes.add(scope)
-            
+
                     permissionTag = context.getHttpRequest().getParameter("permission_tag")
                     permissions = adminUIConfig.getDynamic().getPermissions()
 
@@ -119,10 +120,18 @@ def modifyAccessToken(self, accessToken, context):
                     print e
 
                 print "Following scopes will be added in api token: {}".format(scopes)
+            else:
+                print "Error:  The User-Info JWT is not valid"
+                raise BadRequestException("The User-Info JWT is not valid")
+
             context.overwriteAccessTokenScopes(accessToken, scopes)
+        except BadRequestException:
+            print "Handling BadRequestException"
+            return False
         except Exception as e:
                 print "Exception occured. Unable to resolve role/scope mapping."
                 print e
+                return False
         return True
 
     # context is reference of io.jans.as.server.service.external.context.ExternalUpdateTokenContext (in https://github.com/JanssenProject/jans-auth-server project, )