diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceValidator.java b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceValidator.java index 6fe440eb3d7..e0e93ec2990 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceValidator.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceValidator.java @@ -7,12 +7,12 @@ package io.jans.as.server.authorize.ws.rs; import com.google.common.base.Strings; -import io.jans.as.model.authzdetails.AuthzDetails; import io.jans.as.common.model.registration.Client; import io.jans.as.common.model.session.SessionId; import io.jans.as.common.model.session.SessionIdState; import io.jans.as.common.util.RedirectUri; import io.jans.as.model.authorize.AuthorizeErrorResponseType; +import io.jans.as.model.authzdetails.AuthzDetails; import io.jans.as.model.common.Prompt; import io.jans.as.model.common.ResponseMode; import io.jans.as.model.common.ResponseType; @@ -20,6 +20,7 @@ import io.jans.as.model.crypto.signature.SignatureAlgorithm; import io.jans.as.model.error.ErrorResponseFactory; import io.jans.as.model.exception.InvalidJwtException; +import io.jans.as.model.util.Util; import io.jans.as.server.model.authorize.AuthorizeParamsValidator; import io.jans.as.server.model.authorize.JwtAuthorizationRequest; import io.jans.as.server.model.common.DeviceAuthorizationCacheControl; @@ -27,11 +28,14 @@ import io.jans.as.server.model.exception.InvalidRedirectUrlException; import io.jans.as.server.security.Identity; import io.jans.as.server.service.*; +import io.jans.as.server.service.external.ExternalAuthenticationService; import io.jans.as.server.service.external.ExternalAuthzDetailTypeService; import io.jans.as.server.service.external.session.SessionEvent; import io.jans.as.server.service.external.session.SessionEventType; import io.jans.as.server.util.RedirectUtil; import io.jans.as.server.util.ServerUtil; +import io.jans.model.AuthenticationScriptUsageType; +import io.jans.model.custom.script.conf.CustomScriptConfiguration; import io.jans.orm.exception.EntryPersistenceException; import jakarta.ejb.Stateless; import jakarta.inject.Inject; @@ -88,6 +92,9 @@ public class AuthorizeRestWebServiceValidator { @Inject private ExternalAuthzDetailTypeService externalAuthzDetailTypeService; + @Inject + private ExternalAuthenticationService externalAuthenticationService; + public Client validateClient(String clientId, String state) { return validateClient(clientId, state, false); } @@ -405,9 +412,24 @@ public void validateAcrs(AuthzRequest authzRequest, Client client) throws AcrCha throw authzRequest.getRedirectUriResponse().createWebException(AuthorizeErrorResponseType.INVALID_REQUEST, "Restricted acr value request, please review the list of authorized acr values for this client"); } + + checkAcrScriptIsAvailable(authzRequest); checkAcrChanged(authzRequest, identity.getSessionId()); // check after redirect uri is validated } + public void checkAcrScriptIsAvailable(AuthzRequest authzRequest) { + if (Util.isBuiltInPasswordAuthn(authzRequest.getAcrValues())) { + return; // no need for script for built-in "simple_password_auth" + } + + CustomScriptConfiguration script = externalAuthenticationService.determineCustomScriptConfiguration(AuthenticationScriptUsageType.INTERACTIVE, authzRequest.getAcrValuesList()); + if (script == null) { + String msg = String.format("Unable to find script for acr: %s. Send error: %s", + authzRequest.getAcrValues(), AuthorizeErrorResponseType.UNMET_AUTHENTICATION_REQUIREMENTS.getParameter()); + log.debug(msg); + throw authzRequest.getRedirectUriResponse().createWebException(AuthorizeErrorResponseType.UNMET_AUTHENTICATION_REQUIREMENTS, msg); + } + } private void checkAcrChanged(AuthzRequest authzRequest, SessionId sessionUser) throws AcrChangedException { try {