Fixes in master branch for GluuFederation/oxTrust#797

GluuFederation · Mar 16, 2018 · 0456cc7 · 0456cc7
1 parent 34b3b4a
commit 0456cc7
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 9 deletions.
diff --git a/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeAction.java b/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeAction.java
@@ -204,10 +204,10 @@ public void checkPermissionGranted() {
             session = sessionIdService.assertAuthenticatedSessionCorrespondsToNewRequest(session, acrValues);
         } catch (AcrChangedException e) {
             log.debug("There is already existing session which has another acr then {}, session: {}", acrValues, session.getId());
-            if (prompts.contains(Prompt.LOGIN)) {
+            if (e.isForceReAuthentication()) {
                 session = handleAcrChange(session, prompts);
             } else {
-                log.error("Please provide prompt=login to force login with new ACR or otherwise perform logout and re-authenticate.");
+                log.error("ACR is changed, please provide a supported and enabled acr value");
                 permissionDenied();
                 return;
             }
@@ -332,9 +332,13 @@ public void checkPermissionGranted() {
     }
 
     private SessionId handleAcrChange(SessionId session, List<Prompt> prompts) {
-        if (session != null && prompts.contains(Prompt.LOGIN)) { // change session state only if prompt=none
+        if (session != null) {
             if (session.getState() == SessionIdState.AUTHENTICATED) {
-                session.getSessionAttributes().put("prompt", prompt);
+
+                if (!prompts.contains(Prompt.LOGIN)) {
+                    prompts.add(Prompt.LOGIN);
+                }
+                session.getSessionAttributes().put("prompt", org.xdi.oxauth.model.util.StringUtils.implode(prompts, " "));
                 session.setState(SessionIdState.UNAUTHENTICATED);
 
                 // Update Remote IP

diff --git a/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.java b/Server/src/main/java/org/xdi/oxauth/authorize/ws/rs/AuthorizeRestWebServiceImpl.java
@@ -187,7 +187,21 @@ public Response requestAuthorization(
         try {
             Map<String, String> customResponseHeaders = Util.jsonObjectArrayStringAsMap(customRespHeaders);
 
-            sessionIdService.assertAuthenticatedSessionCorrespondsToNewRequest(sessionUser, acrValuesStr);
+            try {
+                sessionIdService.assertAuthenticatedSessionCorrespondsToNewRequest(sessionUser, acrValuesStr);
+            } catch (AcrChangedException e) { // Acr changed
+                //See https://github.com/GluuFederation/oxTrust/issues/797
+                if (e.isForceReAuthentication()) {
+                    if (!prompts.contains(Prompt.LOGIN)) {
+                        log.info("ACR is changed, adding prompt=login to prompts");
+                        prompts.add(Prompt.LOGIN);
+                        //Override prompt in session
+                        sessionUser.getSessionAttributes().put("prompt", org.xdi.oxauth.model.util.StringUtils.implode(prompts, " "));
+                    }
+                } else {
+                    throw e;
+                }
+            }
 
             if (!AuthorizeParamsValidator.validateParams(responseType, clientId, prompts, nonce, request, requestUri)) {
                 if (clientId != null && redirectUri != null && redirectionUriService.validateRedirectionUri(clientId, redirectUri) != null) {
@@ -630,7 +644,7 @@ public Response requestAuthorization(
 //                    "than the one send with this authorization request. Please perform logout in order to login with another ACR. ACR: " + acrValuesStr);
 //            log.error(e.getMessage(), e);
         } catch (AcrChangedException e) { // Acr changed
-            log.error("ACR is changed, please use prompt=login in order to alter existing session.");
+            log.error("ACR is changed, please provide a supported and enabled acr value");
             log.error(e.getMessage(), e);
 
             RedirectUri redirectUriResponse = new RedirectUri(redirectUri, responseTypes, responseMode);

diff --git a/Server/src/main/java/org/xdi/oxauth/model/exception/AcrChangedException.java b/Server/src/main/java/org/xdi/oxauth/model/exception/AcrChangedException.java
@@ -7,7 +7,14 @@
 
 public class AcrChangedException extends Exception {
 
+    private boolean forceReAuthentication;
+
     public AcrChangedException() {
+        forceReAuthentication = true;
+    }
+
+    public AcrChangedException(boolean forceReAuthentication) {
+        this.forceReAuthentication = forceReAuthentication;
     }
 
     public AcrChangedException(Throwable cause) {
@@ -21,4 +28,13 @@ public AcrChangedException(String message) {
     public AcrChangedException(String message, Throwable cause) {
         super(message, cause);
     }
+
+    public boolean isForceReAuthentication() {
+        return forceReAuthentication;
+    }
+
+    public void setForceReAuthentication(boolean forceReAuthentication) {
+        this.forceReAuthentication = forceReAuthentication;
+    }
+
 }
diff --git a/Server/src/main/java/org/xdi/oxauth/service/SessionIdService.java b/Server/src/main/java/org/xdi/oxauth/service/SessionIdService.java
@@ -142,10 +142,10 @@ public SessionId assertAuthenticatedSessionCorrespondsToNewRequest(SessionId ses
 
 	                log.info("Acr is changed. Session acr: " + sessionAcr + "(level: " + sessionAcrLevel + "), " +
 	                        "current acr: " + acrValue + "(level: " + currentAcrLevel + ")");
-	                
-	                // Requested acr method which not enabled
+
+	                // Requested acr method not enabled
 	                if (currentAcrLevel == null) {
-	                    throw new AcrChangedException();
+	                    throw new AcrChangedException(false);
 	                }
 
 	                if (sessionAcrLevel < currentAcrLevel) {