feat(jans-auth-server): enable person authn script to have multiple a…

…cr names (#1074)

Signed-off-by: Javier Rojas Blum <javier.rojas.blum@gmail.com>

jans-auth-server/client/src/test/java/io/jans/as/client/ws/rs/AuthnScriptAliasesTest.java

@@ -0,0 +1,111 @@
+/*
+ * Janssen Project software is available under the Apache License (2004). See http://www.apache.org/licenses/ for full text.
+ *
+ * Copyright (c) 2020, Janssen Project
+ */
+
+package io.jans.as.client.ws.rs;
+
+import io.jans.as.client.*;
+import io.jans.as.client.client.AssertBuilder;
+import io.jans.as.model.common.ResponseType;
+import io.jans.as.model.register.ApplicationType;
+import io.jans.as.model.util.StringUtils;
+import org.testng.annotations.Parameters;
+import org.testng.annotations.Test;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.UUID;
+
+/**
+ * @author Javier Rojas Blum
+ * @version March 18, 2022
+ */
+public class AuthnScriptAliasesTest extends BaseTest {
+
+    @Parameters({"userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri"})
+    @Test
+    public void acrAliasTest(
+            final String userId, final String userSecret, final String redirectUris, final String redirectUri,
+            final String sectorIdentifierUri) {
+        showTitle("acrAliasTest");
+
+        List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN);
+
+        // 1. Register client
+        RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "jans test app",
+                StringUtils.spaceSeparatedToList(redirectUris));
+        registerRequest.setResponseTypes(responseTypes);
+        registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
+
+        RegisterClient registerClient = newRegisterClient(registerRequest);
+        RegisterResponse registerResponse = registerClient.exec();
+
+        showClient(registerClient);
+        AssertBuilder.registerResponse(registerResponse)
+                .created()
+                .check();
+
+        String clientId = registerResponse.getClientId();
+
+        List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
+        String state = UUID.randomUUID().toString();
+        String nonce = UUID.randomUUID().toString();
+
+        AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
+        authorizationRequest.setState(state);
+        authorizationRequest.setAcrValues(Arrays.asList("basic_alias1"));
+
+        AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(authorizationEndpoint,
+                authorizationRequest, userId, userSecret);
+
+        AssertBuilder.authorizationResponse(authorizationResponse)
+                .responseTypes(responseTypes)
+                .check();
+    }
+
+    @Parameters({"userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri"})
+    @Test
+    public void acrAliasAuthorizedAcsValuesTest(
+            final String userId, final String userSecret, final String redirectUris, final String redirectUri,
+            final String sectorIdentifierUri) {
+        showTitle("acrAliasAuthorizedAcsValuesTest");
+
+        List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN);
+
+        // 1. Register client
+        RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "jans test app",
+                StringUtils.spaceSeparatedToList(redirectUris));
+        registerRequest.setResponseTypes(responseTypes);
+        registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
+        registerRequest.setAuthorizedAcrValues(Arrays.asList(
+                "basic_alias1", "basic_alias2"
+        ));
+
+        RegisterClient registerClient = newRegisterClient(registerRequest);
+        RegisterResponse registerResponse = registerClient.exec();
+
+        showClient(registerClient);
+        AssertBuilder.registerResponse(registerResponse)
+                .created()
+                .check();
+
+        String clientId = registerResponse.getClientId();
+
+        List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
+        String state = UUID.randomUUID().toString();
+        String nonce = UUID.randomUUID().toString();
+
+        AuthorizationRequest authorizationRequest = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
+        authorizationRequest.setState(state);
+        authorizationRequest.setAcrValues(Arrays.asList("basic_alias2"));
+
+        AuthorizationResponse authorizationResponse = authenticateResourceOwnerAndGrantAccess(authorizationEndpoint,
+                authorizationRequest, userId, userSecret);
+
+        AssertBuilder.authorizationResponse(authorizationResponse)
+                .responseTypes(responseTypes)
+                .check();
+    }
+}

jans-auth-server/client/src/test/java/io/jans/as/client/ws/rs/AuthorizedAcrValuesTest.java

@@ -20,7 +20,7 @@
 
 /**
  * @author Javier Rojas Blum
- * @version March 17, 2022
+ * @version March 18, 2022
  */
 public class AuthorizedAcrValuesTest extends BaseTest {
 
@@ -68,11 +68,10 @@ public void authorizedAcrValues(
                 .check();
     }
 
-    @Parameters({"userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri"})
+    @Parameters({"redirectUris", "redirectUri", "sectorIdentifierUri"})
     @Test
     public void authorizedAcrValuesFail(
-            final String userId, final String userSecret, final String redirectUris, final String redirectUri,
-            final String sectorIdentifierUri) {
+            final String redirectUris, final String redirectUri, final String sectorIdentifierUri) {
         showTitle("authorizedAcrValuesFail");
 
         List<ResponseType> responseTypes = Arrays.asList(ResponseType.CODE, ResponseType.ID_TOKEN);

jans-auth-server/client/src/test/resources/testng.xml

@@ -3,7 +3,7 @@
 <suite name="jansAuthClient" parallel="tests" thread-count="4">
 
     <listeners>
-        <listener class-name="io.jans.as.client.RetryListener" />
+        <listener class-name="io.jans.as.client.RetryListener"/>
     </listeners>
 
     <test name="JsonApplier Client test" enabled="true">
@@ -36,8 +36,13 @@
         </classes>
     </test>
 
-    <!-- Token binding -->
+    <test name="Authn Script Aliases Test" enabled="true">
+        <classes>
+            <class name="io.jans.as.client.ws.rs.AuthnScriptAliasesTest"/>
+        </classes>
+    </test>
 
+    <!-- Token binding -->
     <test name="Token Binding test (HTTP)" enabled="true">
         <classes>
             <class name="io.jans.as.client.ws.rs.TokenBindingHttpTest"/>
@@ -96,6 +101,12 @@
         </classes>
     </test>
 
+    <test name="Authorized Acr Values Test" enabled="true">
+        <classes>
+            <class name="io.jans.as.client.ws.rs.AuthorizedAcrValuesTest"/>
+        </classes>
+    </test>
+
     <!-- Authorize test -->
     <test name="Authorize test (HTTP)" enabled="true">
         <classes>
@@ -261,7 +272,7 @@
             <class name="io.jans.as.client.ws.rs.SetPublicSubjectIdentifierPerClientTest"/>
         </classes>
     </test>
-    
+
     <!-- SSO with Multiple Backend Services test -->
     <test name="SSO with Multiple Backend Services test (HTTP)" enabled="true">
         <classes>
@@ -905,7 +916,8 @@
             <class name="io.jans.as.client.ws.rs.jarm.AuthorizationResponseModeFormPostJwtResponseTypeCodeIdTokenSignedHttpTest"/>
         </classes>
     </test>
-    <test name="Test Authorization Response Mode form_post.jwt Response Type code id_token token Encrypted" enabled="true">
+    <test name="Test Authorization Response Mode form_post.jwt Response Type code id_token token Encrypted"
+          enabled="true">
         <classes>
             <class name="io.jans.as.client.ws.rs.jarm.AuthorizationResponseModeFormPostJwtResponseTypeCodeIdTokenTokenEncryptedHttpTest"/>
         </classes>
@@ -966,7 +978,8 @@
             <class name="io.jans.as.client.ws.rs.jarm.AuthorizationResponseModeFragmentJwtResponseTypeCodeIdTokenSignedHttpTest"/>
         </classes>
     </test>
-    <test name="Test Authorization Response Mode fragment.jwt Response Type code id_token token Encrypted" enabled="true">
+    <test name="Test Authorization Response Mode fragment.jwt Response Type code id_token token Encrypted"
+          enabled="true">
         <classes>
             <class name="io.jans.as.client.ws.rs.jarm.AuthorizationResponseModeFragmentJwtResponseTypeCodeIdTokenTokenEncryptedHttpTest"/>
         </classes>

jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalAuthenticationService.java

@@ -29,12 +29,8 @@
 import javax.enterprise.event.Observes;
 import javax.inject.Inject;
 import javax.inject.Named;
-import java.util.ArrayList;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
 import java.util.Map.Entry;
-import java.util.Set;
 
 /**
  * Provides factory methods needed to create external authenticator
@@ -498,6 +494,15 @@ public Map<Integer, Set<String>> levelToAcrMapping() {
                 map.put(level, acrs);
             }
             acrs.add(acr);
+
+            // Also publish alias configuration
+            if (script.getCustomScript() != null && script.getCustomScript().getAliases() != null) {
+                for (String alias : script.getCustomScript().getAliases()) {
+                    if (StringUtils.isNotBlank(alias)) {
+                        acrs.add(alias);
+                    }
+                }
+            }
         }
         return map;
     }

jans-linux-setup/jans_setup/templates/scripts.ldif

@@ -393,6 +393,8 @@ objectClass: top
 objectClass: jansCustomScr
 jansEnabled: false
 jansProgLng: python
+jansAlias: basic_alias1
+jansAlias: basic_alias2
 
 dn: inum=A910-56AB,ou=scripts,o=jans
 description: Sample script for SCIM events