11101 - maduvena/jans-docs GitHub Wiki

Hi Neha,

Thank you for you patience. Firstly, you are right that the previous session attributes are completely lost at step 5, 6.

So the way to go about is as follows.

  1. When the user authenticates for the very first time, (before step 1 itself), we enable the UpdateToken script. Reference doc from Janssen project Here, in the script we modify the ID token to include a claim called "uid". (Similarly, the access token can also include a new "custom claim" say "uid" in our case ) :
 # Returns boolean, true - indicates that script applied changes
    # jsonWebResponse - is JwtHeader, you can use any method to manipulate JWT
    # context is reference of io.jans.oxauth.service.external.context.ExternalUpdateTokenContext
    def modifyIdToken(self, jsonWebResponse, context):

        sessionIdService = CdiUtil.bean(SessionIdService)
	session = sessionIdService.getSessionByDn(context.getGrant().getSessionDn()) # fetch from persistence
        
        uid = session.getSessionAttributes().get("auth_user")				
				
	#custom claims
	jsonWebResponse.getClaims().setClaim("uid", uid)

	return True

  1. In the RP, we extract the uid from ID token and store the uid in your own session, or in anyway you want.

  2. When you redirect to AS the second time for re-authenticaton, you will pass the uid as login_hint parameter See this:

When the authentication request that triggers the authentication contains the `login_hint` parameter (see http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest), this value is used to automatically populate the username input field in the initial form.

This login_hint is read by the Person authentication script in the acr=otp flow

def prepareForStep(self, configurationAttributes, requestParameters, step):
        print "Prepare for steps %s" %step
        if (step ==1):
            try:
                userService = CdiUtil.bean(UserService)
                uid = ServerUtil.getFirstValue(requestParameters, "login_hint")
                identity = CdiUtil.bean(Identity)
                identity.setWorkingParameter("username", uid)
                
                return True
            except:
                print "OTP. Exception: '%s'" % (sys.exc_info()[1])
                return False
        
        else:
            return False

def authenticate(self, configurationAttributes, requestParameters, step):
        print("Basic, authentication for step %s" %step)
        authenticationService = CdiUtil.bean(AuthenticationService)
        identity = CdiUtil.bean(Identity)
        userService = CdiUtil.bean(UserService)
        username =  identity.getWorkingParameter("username")
        print username 
                
        #Here we set hard coded otp
        otp = '12345'           
        inputOtp = ServerUtil.getFirstValue(requestParameters, "loginForm:otpCode")
        print("Client end otp %s " %inputOtp)
        print("Server end otp %s" %otp)
        if otp == inputOtp:            
            print "OTP Authenticated"
            print CdiUtil.bean(SessionIdService).getSessionId()
            authenticationService.authenticate('username')
            return True
        else:
            print("Wrong otp")
            return errorMessage("Wrong otp entered")
            return False