fix: Use highest level script in case ACR script is not found. Added …

…FF to keep existing behavior.

docker-jans-persistence-loader/scripts/upgrade.py

@@ -111,6 +111,10 @@ def _transform_auth_dynamic_config(conf):
         conf["redirectUrisRegexEnabled"] = True
         should_update = True
 
+    if "useHighestLevelScriptIfAcrScriptNotFound" not in conf:
+        conf["useHighestLevelScriptIfAcrScriptNotFound"] = True
+        should_update = True
+
     # return the conf and flag to determine whether it needs update or not
     return conf, should_update
 

docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.json

@@ -436,5 +436,6 @@
     "deviceAuthzRequestExpiresIn": 1800,
     "deviceAuthzTokenPollInterval": 5,
     "deviceAuthzResponseTypeToProcessAuthz": "code",
-    "redirectUrisRegexEnabled": true
+    "redirectUrisRegexEnabled": true,
+    "useHighestLevelScriptIfAcrScriptNotFound": true
 }

docker-jans-persistence-loader/templates/jans-auth/jans-auth-config.ob.json

@@ -360,5 +360,6 @@
     "deviceAuthzResponseTypeToProcessAuthz": "code",
     "staticKid": "%(staticKid)s",
     "forceOfflineAccessScopeToEnableRefreshToken" : false,
-    "redirectUrisRegexEnabled": true
+    "redirectUrisRegexEnabled": true,
+    "useHighestLevelScriptIfAcrScriptNotFound": true
 }

jans-auth-server/client/src/test/java/io/jans/as/client/ws/rs/AuthorizationAcrValuesTest.java

@@ -0,0 +1,132 @@
+package io.jans.as.client.ws.rs;
+
+import io.jans.as.client.*;
+import io.jans.as.client.client.AssertBuilder;
+import io.jans.as.model.common.ResponseType;
+import io.jans.as.model.register.ApplicationType;
+import io.jans.as.model.util.StringUtils;
+import org.testng.annotations.Parameters;
+import org.testng.annotations.Test;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.UUID;
+
+import static org.testng.Assert.assertNotNull;
+
+/**
+ * Integration tests to validate redirect uris regex behavior
+ *
+ */
+public class AuthorizationAcrValuesTest extends BaseTest {
+
+    /**
+     * This method is used to test when acr_values is not send in Authentication URL
+     */
+    @Parameters({"userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri"})
+    @Test
+    public void requestAuthorizationAcrValues_NoAcrsValues_NotNull(
+            final String userId, final String userSecret, final String redirectUris, final String redirectUri,
+            final String sectorIdentifierUri) {
+        showTitle("requestAuthorizationAcrValues_NoAcrsValues_NotNull");
+
+        List<ResponseType> responseTypes = Arrays.asList(
+                ResponseType.CODE,
+                ResponseType.TOKEN,
+                ResponseType.ID_TOKEN);
+
+        // 1. Register client
+        RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "jans test app",
+                StringUtils.spaceSeparatedToList(redirectUris));
+        registerRequest.setResponseTypes(responseTypes);
+        registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
+
+        RegisterClient registerClient = new RegisterClient(registrationEndpoint);
+        registerClient.setRequest(registerRequest);
+        RegisterResponse registerResponse = registerClient.exec();
+
+        showClient(registerClient);
+        AssertBuilder.registerResponse(registerResponse).created().check();
+
+        String clientId = registerResponse.getClientId();
+
+        // 3. Request authorization
+        responseTypes = Arrays.asList(
+                ResponseType.TOKEN,
+                ResponseType.ID_TOKEN);
+
+        List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
+        String nonce = UUID.randomUUID().toString();
+        String state = UUID.randomUUID().toString();
+
+        AuthorizationRequest authorizationRequest1 = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
+        authorizationRequest1.setState(state);
+        authorizationRequest1.setNonce(nonce);
+
+        AuthorizationResponse authorizationResponse1 = authenticateResourceOwnerAndGrantAccess(
+                authorizationEndpoint, authorizationRequest1, userId, userSecret);
+
+        assertNotNull(authorizationResponse1.getLocation(), "The location is null");
+        assertNotNull(authorizationResponse1.getAccessToken(), "The access token is null");
+        assertNotNull(authorizationResponse1.getState(), "The state is null");
+        assertNotNull(authorizationResponse1.getTokenType(), "The token type is null");
+        assertNotNull(authorizationResponse1.getExpiresIn(), "The expires in value is null");
+        assertNotNull(authorizationResponse1.getScope(), "The scope must be null");
+    }
+
+    /**
+     * This method is used to test when acr_values is sent in Authentication URL
+     */
+    @Parameters({"userId", "userSecret", "redirectUris", "redirectUri", "sectorIdentifierUri"})
+    @Test
+    public void requestAuthorizationAcrValues_withBasic_NotNull(
+            final String userId, final String userSecret, final String redirectUris, final String redirectUri,
+            final String sectorIdentifierUri) {
+
+        showTitle("requestAuthorizationAcrValues_withBasic_NotNull");
+
+        List<ResponseType> responseTypes = Arrays.asList(
+                ResponseType.CODE,
+                ResponseType.TOKEN,
+                ResponseType.ID_TOKEN);
+
+        // 1. Register client
+        RegisterRequest registerRequest = new RegisterRequest(ApplicationType.WEB, "jans test app",
+                StringUtils.spaceSeparatedToList(redirectUris));
+        registerRequest.setResponseTypes(responseTypes);
+        registerRequest.setSectorIdentifierUri(sectorIdentifierUri);
+
+        RegisterClient registerClient = new RegisterClient(registrationEndpoint);
+        registerClient.setRequest(registerRequest);
+        RegisterResponse registerResponse = registerClient.exec();
+
+        showClient(registerClient);
+        AssertBuilder.registerResponse(registerResponse).created().check();
+
+        String clientId = registerResponse.getClientId();
+
+        // 2. Request authorization
+        responseTypes = Arrays.asList(
+                ResponseType.TOKEN,
+                ResponseType.ID_TOKEN);
+
+        List<String> scopes = Arrays.asList("openid", "profile", "address", "email");
+        String nonce = UUID.randomUUID().toString();
+        String state = UUID.randomUUID().toString();
+
+        AuthorizationRequest authorizationRequest1 = new AuthorizationRequest(responseTypes, clientId, scopes, redirectUri, nonce);
+        authorizationRequest1.setState(state);
+        authorizationRequest1.setNonce(nonce);
+        authorizationRequest1.setAcrValues(Arrays.asList("basic") );
+
+        AuthorizationResponse authorizationResponse1 = authenticateResourceOwnerAndGrantAccess(
+                authorizationEndpoint, authorizationRequest1, userId, userSecret);
+
+        assertNotNull(authorizationResponse1.getLocation(), "The location is null");
+        assertNotNull(authorizationResponse1.getAccessToken(), "The access token is null");
+        assertNotNull(authorizationResponse1.getState(), "The state is null");
+        assertNotNull(authorizationResponse1.getTokenType(), "The token type is null");
+        assertNotNull(authorizationResponse1.getExpiresIn(), "The expires in value is null");
+        assertNotNull(authorizationResponse1.getScope(), "The scope must be null");
+    }
+}

jans-auth-server/client/src/test/resources/testng.xml

@@ -1138,5 +1138,9 @@
             <class name="io.jans.as.client.ws.rs.jarm.AuthorizationServerMetadataHttpTest"/>
         </classes>
     </test>
-
+    <test name="Test Authorization ACR values" enabled="true">
+        <classes>
+            <class name="io.jans.as.client.ws.rs.AuthorizationAcrValuesTest"/>
+        </classes>
+    </test>
 </suite>

jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java

@@ -163,6 +163,7 @@ public class AppConfiguration implements Configuration {
 
     //feature flags
     private Boolean redirectUrisRegexEnabled = false;
+    private Boolean useHighestLevelScriptIfAcrScriptNotFound = true;
 
     private Boolean authenticationFiltersEnabled;
     private Boolean clientAuthenticationFiltersEnabled;
@@ -2483,4 +2484,12 @@ public Boolean getRedirectUrisRegexEnabled() {
     public void setRedirectUrisRegexEnabled(Boolean redirectUrisRegexEnabled) {
         this.redirectUrisRegexEnabled = redirectUrisRegexEnabled;
     }
+
+    public Boolean getUseHighestLevelScriptIfAcrScriptNotFound() {
+        return useHighestLevelScriptIfAcrScriptNotFound != null && useHighestLevelScriptIfAcrScriptNotFound;
+    }
+
+    public void setUseHighestLevelScriptIfAcrScriptNotFound(Boolean useHighestLevelScriptIfAcrScriptNotFound) {
+        this.useHighestLevelScriptIfAcrScriptNotFound = useHighestLevelScriptIfAcrScriptNotFound;
+    }
 }

jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalAuthenticationService.java

@@ -9,6 +9,7 @@
 import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
 import io.jans.as.common.service.common.ApplicationFactory;
+import io.jans.as.model.configuration.AppConfiguration;
 import io.jans.as.server.service.cdi.event.ReloadAuthScript;
 import io.jans.as.server.service.external.internal.InternalDefaultPersonAuthenticationType;
 import io.jans.model.AuthenticationScriptUsageType;
@@ -53,6 +54,9 @@ public class ExternalAuthenticationService extends ExternalScriptService {
     @Inject
     private InternalDefaultPersonAuthenticationType internalDefaultPersonAuthenticationType;
 
+    @Inject
+    private AppConfiguration appConfiguration;
+
     private static final long serialVersionUID = 7339887464253044927L;
 
     private Map<AuthenticationScriptUsageType, List<CustomScriptConfiguration>> customScriptConfigurationsMapByUsageType;
@@ -358,14 +362,17 @@ public CustomScriptConfiguration determineCustomScriptConfiguration(Authenticati
 
         if (authModes.size() > 0) {
             for (String authMode : authModes) {
-                for (CustomScriptConfiguration customScriptConfiguration : this.customScriptConfigurationsMapByUsageType.get(usageType)) {
+                for (CustomScriptConfiguration customScriptConfiguration : this.customScriptConfigurationsMapByUsageType.get(usageType) ) {
                     if (StringHelper.equalsIgnoreCase(authMode, customScriptConfiguration.getName())) {
                         return customScriptConfiguration;
                     }
                 }
             }
         }
 
+        if (appConfiguration.getUseHighestLevelScriptIfAcrScriptNotFound()) {
+            return getDefaultExternalAuthenticator(usageType);
+        }
         return null;
     }
 
@@ -535,4 +542,12 @@ public AuthenticationScriptUsageType getUsageType() {
 
         return new CustomScriptConfiguration(customScript, internalDefaultPersonAuthenticationType, new HashMap<>(0));
     }
+
+    public void setCustomScriptConfigurationsMapByUsageType(Map<AuthenticationScriptUsageType, List<CustomScriptConfiguration>> customScriptConfigurationsMapByUsageType) {
+        this.customScriptConfigurationsMapByUsageType = customScriptConfigurationsMapByUsageType;
+    }
+
+    public void setDefaultExternalAuthenticators(Map<AuthenticationScriptUsageType, CustomScriptConfiguration> defaultExternalAuthenticators) {
+        this.defaultExternalAuthenticators = defaultExternalAuthenticators;
+    }
 }