From 1e088098fb5ecc8752d1cbfef9fc3dc055779cca Mon Sep 17 00:00:00 2001
From: YuriyZ <yzabrovarniy@gmail.com>
Date: Tue, 5 Dec 2023 12:33:21 +0200
Subject: [PATCH] fix(jans-auth-server): authz challenge session attributes are
 overwritten after external script run #6933

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
---
 .../authorize/ws/rs/AuthorizationChallengeService.java    | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java
index 6fdef268d54..d7e22b451f8 100644
--- a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java
+++ b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizationChallengeService.java
@@ -189,10 +189,16 @@ private SessionId generateAuthenticateSessionWithCookie(AuthzRequest authzReques
         Map<String, String> requestParameterMap = requestParameterService.getAllowedParameters(parameterMap);
 
         SessionId sessionUser = sessionIdService.generateAuthenticatedSessionId(authzRequest.getHttpRequest(), user.getDn(), authzRequest.getPrompt());
-        sessionUser.setSessionAttributes(requestParameterMap);
+        final Set<String> sessionAttributesKeySet = sessionUser.getSessionAttributes().keySet();
+        requestParameterMap.forEach((key, value) -> {
+            if (!sessionAttributesKeySet.contains(key)) {
+                sessionUser.getSessionAttributes().put(key, value);
+            }
+        });
 
         cookieService.createSessionIdCookie(sessionUser, authzRequest.getHttpRequest(), authzRequest.getHttpResponse(), false);
         sessionIdService.updateSessionId(sessionUser);
+        log.trace("Session updated with {}", sessionUser);
 
         return sessionUser;
     }