fix(jans-auth-server): "login:prompt" property passed in request object JWT breaks authentication

[yuriyz]

Describe the bug

Issue comes from oxauth report
GluuFederation/oxAuth#1712

As reported in ticket 10741, if login:prompt property is included into a request object JWT, user is stuck into an endless cycle of getting presented with login page, and cannot authenticate. The issue doesn't occur when login=prompt is passed as a parameter in url query string.

Preconditions

1. Gluu Server is installed and a configuration is created to run a test OIDC flow (oxTrust could be used as OIDC client for a quick test)
2. An interception proxy in front of Gluu Server to capture and modify request (or pre-assembled url representing OIDC authz request with already embedded request object)
3. Auth method is set to "basic" or "simple_password_auth" for the client used in testing
4. In case of oxTrust used as client: to bypass the need of creating a signed request object payload, it's easier to disable signing for it till the end of the test:

• at "JSON Configuration" > "oxAuth" page, set "rejectJwtWithNoneAlg" property to "false"
• at oxTrust's client entry page, set signing algorithm for request object to "none"

Steps To Reproduce

1. Start the flow, ensuring that OIDC authz request is carrying the required payload in request=... url query parameter (see an example below)
2. Provide valid user credentials when landing on oxAuth login page

Expected behavior

User is logged in, even in case when they already have a session at oxAuth (no SSO)

Actual behavior

Login doesn't happen, user is redirected to oxAuth login page again, caught in an endless loop. No errors can be seen in logs

An example of request object JWT payload that can be used to reproduce the issue ("client_id" and "iss" properties may need to be substituted with meaningful values):

Header:

{"alg":"none"}

Body:

{"scope":"openid profile","iss":"1001.64856125-de51-467f-9043-682658118f0d","response_type":"code","prompt":"login","client_id":"1001.64856125-de51-467f-9043-682658118f0d"}

Base64-encoded form with no signature:

eyJhbGciOiJub25lIn0=.eyJzY29wZSI6Im9wZW5pZCBwcm9maWxlIiwiaXNzIjoiMTAwMS42NDg1NjEyNS1kZTUxLTQ2N2YtOTA0My02ODI2NTgxMThmMGQiLCJyZXNwb25zZV90eXBlIjoiY29kZSIsInByb21wdCI6ImxvZ2luIiwiY2xpZW50X2lkIjoiMTAwMS42NDg1NjEyNS1kZTUxLTQ2N2YtOTA0My02ODI2NTgxMThmMGQifQ==.

Support: 10741