fix(jans-auth-server): PKCE parameters from first SSO request retains…

… in further calls (#2620) #2560
JanssenProject · Oct 14, 2022 · de98b41 · de98b41
1 parent de775a7
commit de98b41
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/service/SessionIdService.java b/jans-auth-server/server/src/main/java/io/jans/as/server/service/SessionIdService.java
@@ -250,6 +250,11 @@ private static boolean shouldReinitSession(Map<String, String> sessionAttributes
     public boolean reinitLogin(SessionId session, boolean force) {
         final Map<String, String> sessionAttributes = session.getSessionAttributes();
         final Map<String, String> currentSessionAttributes = getCurrentSessionAttributes(sessionAttributes);
+        if (log.isTraceEnabled()) {
+            log.trace("sessionAttributes: {}", sessionAttributes);
+            log.trace("currentSessionAttributes: {}", currentSessionAttributes);
+            log.trace("shouldReinitSession: {}, force: {}", shouldReinitSession(sessionAttributes, currentSessionAttributes), force);
+        }
 
         if (force || shouldReinitSession(sessionAttributes, currentSessionAttributes)) {
             sessionAttributes.putAll(currentSessionAttributes);
@@ -277,6 +282,9 @@ public boolean reinitLogin(SessionId session, boolean force) {
             if (!updateResult) {
                 log.debug("Failed to update session entry: '{}'", session.getId());
             }
+            if (log.isTraceEnabled()) {
+                log.trace("sessionAttributes after update: {}, ", session.getSessionAttributes());
+            }
             return updateResult;
         }
         return false;
@@ -314,14 +322,18 @@ private Map<String, String> getCurrentSessionAttributes(Map<String, String> sess
         // Update from request
         final Map<String, String> currentSessionAttributes = new HashMap<>(sessionAttributes);
 
-        Map<String, String> parameterMap = externalContext.getRequestParameterMap();
-        Map<String, String> newRequestParameterMap = requestParameterService.getAllowedParameters(parameterMap);
+        Map<String, String> requestParameters = externalContext.getRequestParameterMap();
+        Map<String, String> newRequestParameterMap = requestParameterService.getAllowedParameters(requestParameters);
         for (Entry<String, String> newRequestParameterMapEntry : newRequestParameterMap.entrySet()) {
             String name = newRequestParameterMapEntry.getKey();
             if (!StringHelper.equalsIgnoreCase(name, io.jans.as.model.config.Constants.AUTH_STEP)) {
                 currentSessionAttributes.put(name, newRequestParameterMapEntry.getValue());
             }
         }
+        if (!requestParameters.containsKey(AuthorizeRequestParam.CODE_CHALLENGE) || !requestParameters.containsKey(AuthorizeRequestParam.CODE_CHALLENGE_METHOD)) {
+            currentSessionAttributes.remove(AuthorizeRequestParam.CODE_CHALLENGE);
+            currentSessionAttributes.remove(AuthorizeRequestParam.CODE_CHALLENGE_METHOD);
+        }
 
         return currentSessionAttributes;
     }