From f863bd3cf8471e7624479e3e1d821e3c34fb9b83 Mon Sep 17 00:00:00 2001 From: Yuriy Movchan Date: Thu, 30 Jan 2025 22:19:00 +0300 Subject: [PATCH 1/2] feat(jans-lock): redirect for consent if external script is enabled and client is not authorized Signed-off-by: Yuriy Movchan --- .../authorize/ws/rs/AuthorizeRestWebServiceImpl.java | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceImpl.java b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceImpl.java index f5c218e5d40..02b8055ce71 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceImpl.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceImpl.java @@ -174,6 +174,9 @@ public class AuthorizeRestWebServiceImpl implements AuthorizeRestWebService { @Inject private ExternalResourceOwnerPasswordCredentialsService externalResourceOwnerPasswordCredentialsService; + @Inject + private ExternalConsentGatheringService externalConsentGatheringService; + @Inject private DpopService dpopService; @@ -603,8 +606,12 @@ private void checkPromptConsent(AuthzRequest authzRequest, SessionId sessionUser authzRequest.removePrompt(Prompt.CONSENT); return; } + + if (isTrue(sessionUser.isPermissionGrantedForClient(authzRequest.getClientId()))) { + return; + } - if (authzRequest.getPromptList().contains(Prompt.CONSENT) || !isTrue(sessionUser.isPermissionGrantedForClient(authzRequest.getClientId()))) { + if (authzRequest.getPromptList().contains(Prompt.CONSENT) || externalConsentGatheringService.isEnabled()) { if (!clientAuthorizationFetched) { clientAuthorization = clientAuthorizationsService.find(user.getAttribute("inum"), authzRequest.getClient().getClientId()); } From 295f8ffd36b566608ee1e4d92557bf586c9f2f28 Mon Sep 17 00:00:00 2001 From: Yuriy Movchan Date: Fri, 31 Jan 2025 12:50:55 +0300 Subject: [PATCH 2/2] feat(jans-auth): redirect for consent if external script is enabled and client is not authorized Signed-off-by: Yuriy Movchan --- .../authorize/ws/rs/AuthorizeRestWebServiceImpl.java | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceImpl.java b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceImpl.java index 02b8055ce71..d681b4fe0cb 100644 --- a/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceImpl.java +++ b/jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeRestWebServiceImpl.java @@ -77,6 +77,7 @@ import static io.jans.as.server.authorize.ws.rs.AuthzRequestService.canLogWebApplicationException; import static org.apache.commons.lang3.BooleanUtils.isTrue; +import static org.apache.commons.lang3.BooleanUtils.isFalse; import static org.apache.commons.lang3.BooleanUtils.toBoolean; /** @@ -606,12 +607,11 @@ private void checkPromptConsent(AuthzRequest authzRequest, SessionId sessionUser authzRequest.removePrompt(Prompt.CONSENT); return; } - - if (isTrue(sessionUser.isPermissionGrantedForClient(authzRequest.getClientId()))) { - return; - } - if (authzRequest.getPromptList().contains(Prompt.CONSENT) || externalConsentGatheringService.isEnabled()) { + if (authzRequest.getPromptList().contains(Prompt.CONSENT) || (!isTrue(sessionUser.isPermissionGrantedForClient(authzRequest.getClientId())) || externalConsentGatheringService.isEnabled())) { + if (!authzRequest.getPromptList().contains(Prompt.CONSENT) && isTrue(sessionUser.isPermissionGrantedForClient(authzRequest.getClientId()))) { + return; + } if (!clientAuthorizationFetched) { clientAuthorization = clientAuthorizationsService.find(user.getAttribute("inum"), authzRequest.getClient().getClientId()); }