fix(jans-auth-server): agama_flow acr in id_token does not correspond…

… to acr in request #8692 (#8694)

#8692

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
(cherry picked from commit 304851f)

jans-auth-server/server/src/main/java/io/jans/as/server/auth/Authenticator.java

@@ -17,11 +17,7 @@
 import io.jans.as.server.model.config.Constants;
 import io.jans.as.server.model.exception.InvalidSessionStateException;
 import io.jans.as.server.security.Identity;
-import io.jans.as.server.service.AuthenticationService;
-import io.jans.as.server.service.ClientService;
-import io.jans.as.server.service.ErrorHandlerService;
-import io.jans.as.server.service.RequestParameterService;
-import io.jans.as.server.service.SessionIdService;
+import io.jans.as.server.service.*;
 import io.jans.as.server.service.external.ExternalAuthenticationService;
 import io.jans.jsf2.message.FacesMessages;
 import io.jans.jsf2.service.FacesService;
@@ -763,6 +759,9 @@ private void initCustomAuthenticatorVariables(Map<String, String> sessionIdAttri
 
         this.authStep = StringHelper.toInteger(sessionIdAttributes.get(AUTH_STEP), null);
         this.authAcr = sessionIdAttributes.get(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE);
+        if (AcrService.isAgama(this.authAcr)) {
+            this.authAcr = AcrService.AGAMA;
+        }
     }
 
     private boolean authenticationFailed(SessionId sessionId) {

jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeAction.java

@@ -73,6 +73,7 @@
 import java.net.URLEncoder;
 import java.util.*;
 
+import static io.jans.as.server.service.AcrService.isAgama;
 import static io.jans.as.server.service.DeviceAuthorizationService.SESSION_USER_CODE;
 import static org.apache.commons.lang3.BooleanUtils.isTrue;
 
@@ -337,6 +338,10 @@ public void checkPermissionGrantedInternal() throws IOException {
                 }
 
                 String acr = customScriptConfiguration.getName();
+                if (isAgama(acr) && !acrValuesList.isEmpty()) {
+                    // for agama we use original acr to keep also flow name in it: agama_<flowName>
+                    acr = acrValuesList.iterator().next();
+                }
 
                 requestParameterMap.put(JwtClaimName.AUTHENTICATION_CONTEXT_CLASS_REFERENCE, acr);
                 requestParameterMap.put("auth_step", Integer.toString(1));
@@ -386,7 +391,7 @@ public void checkPermissionGrantedInternal() throws IOException {
             cookieService.creatRpOriginIdCookie(redirectUri);
             identity.setSessionId(unauthenticatedSession);
 
-            Map<String, Object> loginParameters = new HashMap<String, Object>();
+            Map<String, Object> loginParameters = new HashMap<>();
             if (requestParameterMap.containsKey(io.jans.as.model.authorize.AuthorizeRequestParam.LOGIN_HINT)) {
                 loginParameters.put(io.jans.as.model.authorize.AuthorizeRequestParam.LOGIN_HINT, requestParameterMap.get(io.jans.as.model.authorize.AuthorizeRequestParam.LOGIN_HINT));
             }

jans-auth-server/server/src/main/java/io/jans/as/server/service/AcrService.java

@@ -50,7 +50,7 @@ public class AcrService {
     private AppConfiguration appConfiguration;
 
     public static boolean isAgama(String acr) {
-        return StringUtils.isNotBlank(acr) && (acr.startsWith("agama_") || acr.equalsIgnoreCase(AGAMA));
+        return StringUtils.isNotBlank(acr) && (acr.startsWith("agama_") || AGAMA.equalsIgnoreCase(acr));
     }
 
     public void validateAcrs(AuthzRequest authzRequest, Client client) throws AcrChangedException {
@@ -158,7 +158,7 @@ public static List<String> getAcrsToDetermineScript(List<String> acrValues) {
         }
 
         if (isAgama(acrValues.get(0))) {
-            return Lists.newArrayList("agama");
+            return Lists.newArrayList(AcrService.AGAMA);
         }
 
         return acrValues;