Skip to content

Commit

Permalink
fix(jans-auth-server): "login:prompt" property passed in request obje…
Browse files Browse the repository at this point in the history 
…ct JWT breaks authentication #2493 (#2537)

docs: no docs
#2493
  • Loading branch information
@yuriyz
yuriyz committed Oct 4, 2022
1 parent 78b6bbe commit 9d4d84a
Show file tree
Hide file tree
Showing 4 changed files with 42 additions and 7 deletions.
6 changes: 5 additions & 1 deletion jans-auth-server/model/src/main/java/io/jans/as/model/util/Util.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -292,10 +292,14 @@ public static boolean isNullOrEmpty(String string) {
}

public static int parseIntSilently(String intString) {
return parseIntSilently(intString, -1);
}

public static int parseIntSilently(String intString, int defaultValue) {
try {
return Integer.parseInt(intString);
} catch (Exception e) {
return -1;
return defaultValue;
}
}

Expand Down
33 changes: 27 additions & 6 deletions ...r/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceImpl.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -502,6 +502,7 @@ private ResponseBuilder authorize(AuthzRequest authzRequest) throws AcrChangedEx
ResponseBuilder builder = RedirectUtil.getRedirectResponseBuilder(authzRequest.getRedirectUriResponse().getRedirectUri(), authzRequest.getHttpRequest());

addCustomHeaders(builder, authzRequest);
updateSessionRpRedirect(sessionUser);

runCiba(authzRequest.getAuthReqId(), client, authzRequest.getHttpRequest(), authzRequest.getHttpResponse());
processDeviceAuthorization(deviceAuthzUserCode, user);
Expand Down Expand Up @@ -572,15 +573,18 @@ private void checkPromptConsent(AuthzRequest authzRequest, List<Prompt> prompts,

private void checkPromptLogin(AuthzRequest authzRequest, List<Prompt> prompts) {
if (prompts.contains(Prompt.LOGIN)) {
boolean sessionUnauthenticated = false;

// workaround for #1030 - remove only authenticated session, for set up acr we set it unauthenticated and then drop in AuthorizeAction
if (identity.getSessionId().getState() == SessionIdState.AUTHENTICATED) {
unauthenticateSession(authzRequest.getSessionId(), authzRequest.getHttpRequest());
sessionUnauthenticated = unauthenticateSession(authzRequest.getSessionId(), authzRequest.getHttpRequest(), authzRequest.isPromptFromJwt());
}
authzRequest.setSessionId(null);
prompts.remove(Prompt.LOGIN);

throw new WebApplicationException(redirectToAuthorizationPage(authzRequest, prompts));
if (sessionUnauthenticated) {
throw new WebApplicationException(redirectToAuthorizationPage(authzRequest, prompts));
}
}
}

Expand Down Expand Up @@ -731,7 +735,7 @@ private Pair<User, SessionId> ifUserIsNull(AuthzRequest authzRequest) throws Sea
}
} else {
if (prompts.contains(Prompt.LOGIN)) {
unauthenticateSession(authzRequest.getSessionId(), authzRequest.getHttpRequest());
unauthenticateSession(authzRequest.getSessionId(), authzRequest.getHttpRequest(), authzRequest.isPromptFromJwt());
authzRequest.setSessionId(null);
prompts.remove(Prompt.LOGIN);
authzRequest.setPrompt(implode(prompts, " "));
Expand Down Expand Up @@ -906,25 +910,41 @@ private Response redirectTo(String pathToRedirect, AuthzRequest authzRequest, Li
return builder.build();
}

private void unauthenticateSession(String sessionId, HttpServletRequest httpRequest) {
identity.logout();
private void updateSessionRpRedirect(SessionId sessionUser) {
int rpRedirectCount = Util.parseIntSilently(sessionUser.getSessionAttributes().get("successful_rp_redirect_count"), 0);
rpRedirectCount++;

sessionUser.getSessionAttributes().put("successful_rp_redirect_count", Integer.toString(rpRedirectCount));
sessionIdService.updateSessionId(sessionUser);
}

private boolean unauthenticateSession(String sessionId, HttpServletRequest httpRequest) {
return unauthenticateSession(sessionId, httpRequest, false);
}

private boolean unauthenticateSession(String sessionId, HttpServletRequest httpRequest, boolean isPromptFromJwt) {
SessionId sessionUser = identity.getSessionId();

if (isPromptFromJwt && sessionUser != null && !sessionUser.getSessionAttributes().containsKey("successful_rp_redirect_count")) {
return false; // skip unauthentication because there were no at least one successful rp redirect
}

if (sessionUser != null) {
sessionUser.setUserDn(null);
sessionUser.setUser(null);
sessionUser.setAuthenticationTime(null);
}

identity.logout();

if (StringHelper.isEmpty(sessionId)) {
sessionId = cookieService.getSessionIdFromCookie(httpRequest);
}

SessionId persistenceSessionId = sessionIdService.getSessionId(sessionId);
if (persistenceSessionId == null) {
log.error("Failed to load session from LDAP by session_id: '{}'", sessionId);
return;
return true;
}

persistenceSessionId.setState(SessionIdState.UNAUTHENTICATED);
Expand All @@ -936,6 +956,7 @@ private void unauthenticateSession(String sessionId, HttpServletRequest httpRequ
if (!result) {
log.error("Failed to update session_id '{}'", sessionId);
}
return result;
}

/**
Expand Down
9 changes: 9 additions & 0 deletions jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthzRequest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,15 @@ public class AuthzRequest {
private RedirectUriResponse redirectUriResponse;
private Client client;
private OAuth2AuditLog auditLog;
private boolean promptFromJwt;

public boolean isPromptFromJwt() {
return promptFromJwt;
}

public void setPromptFromJwt(boolean promptFromJwt) {
this.promptFromJwt = promptFromJwt;
}

public OAuth2AuditLog getAuditLog() {
return auditLog;
Expand Down
1 change: 1 addition & 0 deletions ...th-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthzRequestService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,7 @@ public void processRequestObject(AuthzRequest authzRequest, Client client, Set<S
prompts.clear();
prompts.addAll(Lists.newArrayList(jwtRequest.getPrompts()));
authzRequest.setPrompt(implode(prompts, " "));
authzRequest.setPromptFromJwt(true);
}
if (jwtRequest.getResponseMode() != null) {
authzRequest.setResponseMode(jwtRequest.getResponseMode().getValue());
Expand Down

0 comments on commit 9d4d84a

Please sign in to comment.