Skip to content

Post Authentication

Overview#

After the browser has a session, if a person visits the website, the requesting party can obtain a code without the user having to authenticate or authorize. In some cases, it is desirable to insert custom business logic before granting the code or tokens from the authorization endpoint. Post Authentication script allows to force re-authentication or re-authorization (even if client is "Pre-authorized" or client authorization persistence is on).

Interface#

The post authentication script implements the PostAuthnType interface. This extends methods from the base script type in addition to adding new methods:

Inherited Methods#

Method header Method description
def init(self, customScript, configurationAttributes) This method is only called once during the script initialization. It can be used for global script initialization, initiate objects etc
def destroy(self, configurationAttributes) This method is called once to destroy events. It can be used to free resource and objects created in the init() method
def getApiVersion(self, configurationAttributes, customScript) The getApiVersion method allows API changes in order to do transparent migration from an old script to a new API. Only include the customScript variable if the value for getApiVersion is greater than 10

New Methods#

Method header Method description
def forceReAuthentication(self, context) This method is called during Authorization Request at Authorization Endpoint. If True is returned, session is set as unauthenticated and user is send for authentication.
def forceAuthorization(self, context) This method is called during Authorization Request at Authorization Endpoint. If True is returned user is send for Authorization. By default if client is "Pre-Authorized" or "Client Persist Authorizations" is on, authorization is skipped. This script has higher priority and can cancel Pre-Authorization and persisted authorizations.

Objects#

Object name Object description
customScript The custom script object. Reference
configurationAttributes configurationProperties passed in when adding custom script. Map<String, SimpleCustomProperty> configurationAttributes
SimpleCustomProperty Map of configuration properties. Reference
context Reference

Use case: Dummy Post Authentication script (does not force re-authentication)#

This was adapted from Gluu Post Authentication script example.

Script Type: Python#

from io.jans.model.custom.script.type.postauthn import PostAuthnType

class PostAuthn(PostAuthnType):
    def __init__(self, currentTimeMillis):
        self.currentTimeMillis = currentTimeMillis

    def init(self, customScript, configurationAttributes):
        print "Post Authn script. Initializing ..."
        print "Post Authn script. Initialized successfully"

        return True

    def destroy(self, configurationAttributes):
        print "Post Authn script. Destroying ..."
        print "Post Authn script. Destroyed successfully"
        return True

    def getApiVersion(self):
        return 11

    def forceReAuthentication(self, context):
        return False

    def forceAuthorization(self, context):
        return False

Script Type: Java#

import java.util.Map;

import io.jans.model.SimpleCustomProperty;
import io.jans.model.custom.script.model.CustomScript;
import io.jans.model.custom.script.type.postauthn.PostAuthnType;
import io.jans.service.custom.script.CustomScriptManager;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

public class PostAuthn implements PostAuthnType {

    private static final Logger log = LoggerFactory.getLogger(CustomScriptManager.class);

    @Override
    public boolean init(Map<String, SimpleCustomProperty> configurationAttributes) {
        log.info("Post Authentication. Initializing...");
        log.info("Post Authentication. Initialized");
        return true;
    }

    @Override
    public boolean init(CustomScript customScript, Map<String, SimpleCustomProperty> configurationAttributes) {
        log.info("Post Authentication. Initializing...");
        log.info("Post Authentication. Initialized");
        return true;
    }

    @Override
    public boolean destroy(Map<String, SimpleCustomProperty> configurationAttributes) {
        log.info("Post Authentication. Destroying...");
        log.info("Post Authentication. Destroyed.");
        return true;
    }

    @Override
    public int getApiVersion() {
        return 11;
    }

    @Override
    public boolean forceReAuthentication(Object context) {
        return false;
    }

    @Override
    public boolean forceAuthorization(Object context) {
        return false;
    }

}

Last update: 2024-10-21
Created: 2022-05-18