feat(jans-auth-server): return unmet_authentication_requirements erro…

…r code if acr is not recognized #7900

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>

jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceValidator.java

@@ -7,31 +7,35 @@
 package io.jans.as.server.authorize.ws.rs;
 
 import com.google.common.base.Strings;
-import io.jans.as.model.authzdetails.AuthzDetails;
 import io.jans.as.common.model.registration.Client;
 import io.jans.as.common.model.session.SessionId;
 import io.jans.as.common.model.session.SessionIdState;
 import io.jans.as.common.util.RedirectUri;
 import io.jans.as.model.authorize.AuthorizeErrorResponseType;
+import io.jans.as.model.authzdetails.AuthzDetails;
 import io.jans.as.model.common.Prompt;
 import io.jans.as.model.common.ResponseMode;
 import io.jans.as.model.common.ResponseType;
 import io.jans.as.model.configuration.AppConfiguration;
 import io.jans.as.model.crypto.signature.SignatureAlgorithm;
 import io.jans.as.model.error.ErrorResponseFactory;
 import io.jans.as.model.exception.InvalidJwtException;
+import io.jans.as.model.util.Util;
 import io.jans.as.server.model.authorize.AuthorizeParamsValidator;
 import io.jans.as.server.model.authorize.JwtAuthorizationRequest;
 import io.jans.as.server.model.common.DeviceAuthorizationCacheControl;
 import io.jans.as.server.model.exception.AcrChangedException;
 import io.jans.as.server.model.exception.InvalidRedirectUrlException;
 import io.jans.as.server.security.Identity;
 import io.jans.as.server.service.*;
+import io.jans.as.server.service.external.ExternalAuthenticationService;
 import io.jans.as.server.service.external.ExternalAuthzDetailTypeService;
 import io.jans.as.server.service.external.session.SessionEvent;
 import io.jans.as.server.service.external.session.SessionEventType;
 import io.jans.as.server.util.RedirectUtil;
 import io.jans.as.server.util.ServerUtil;
+import io.jans.model.AuthenticationScriptUsageType;
+import io.jans.model.custom.script.conf.CustomScriptConfiguration;
 import io.jans.orm.exception.EntryPersistenceException;
 import jakarta.ejb.Stateless;
 import jakarta.inject.Inject;
@@ -88,6 +92,9 @@ public class AuthorizeRestWebServiceValidator {
     @Inject
     private ExternalAuthzDetailTypeService externalAuthzDetailTypeService;
 
+    @Inject
+    private ExternalAuthenticationService externalAuthenticationService;
+
     public Client validateClient(String clientId, String state) {
         return validateClient(clientId, state, false);
     }
@@ -405,9 +412,24 @@ public void validateAcrs(AuthzRequest authzRequest, Client client) throws AcrCha
             throw authzRequest.getRedirectUriResponse().createWebException(AuthorizeErrorResponseType.INVALID_REQUEST,
                     "Restricted acr value request, please review the list of authorized acr values for this client");
         }
+
+        checkAcrScriptIsAvailable(authzRequest);
         checkAcrChanged(authzRequest, identity.getSessionId()); // check after redirect uri is validated
     }
 
+    public void checkAcrScriptIsAvailable(AuthzRequest authzRequest) {
+        if (Util.isBuiltInPasswordAuthn(authzRequest.getAcrValues())) {
+            return; // no need for script for built-in "simple_password_auth"
+        }
+
+        CustomScriptConfiguration script = externalAuthenticationService.determineCustomScriptConfiguration(AuthenticationScriptUsageType.INTERACTIVE, authzRequest.getAcrValuesList());
+        if (script == null) {
+            String msg = String.format("Unable to find script for acr: %s. Send error: %s",
+                    authzRequest.getAcrValues(), AuthorizeErrorResponseType.UNMET_AUTHENTICATION_REQUIREMENTS.getParameter());
+            log.debug(msg);
+            throw authzRequest.getRedirectUriResponse().createWebException(AuthorizeErrorResponseType.UNMET_AUTHENTICATION_REQUIREMENTS, msg);
+        }
+    }
 
     private void checkAcrChanged(AuthzRequest authzRequest, SessionId sessionUser) throws AcrChangedException {
         try {