You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/admin/developer/scripts/consent-gathering.md
+6-4
Original file line number
Diff line number
Diff line change
@@ -3,10 +3,12 @@ tags:
3
3
- administration
4
4
- developer
5
5
- scripts
6
+
- ConsentGathering
7
+
- ConsentGatheringType
6
8
---
7
9
8
10
## Overview
9
-
OAuth 2.0 allows providers to prompt users for consent before releasing their personal information to a client (application). The standard consent process is binary: approve or deny. Using the consent gathering interception script, the consent flow can be customized to meet unique business requirements, for instance to support payment authorization, where you need to present transactional information, or where you need to step-up authentication to add security.
11
+
OAuth 2.0 allows providers to prompt users for consent before releasing their personal information to a client (application). The standard consent process is binary: approve or deny. Using the consent gathering interception script, the consent flow can be customized to meet unique business requirements, for instance to support payment authorization, where you need to present transactional information, or where you need to step-up authentication to add security.
10
12
11
13
## Interface
12
14
The consent gathering script implements the [ConsentGathering](https://github.com/JanssenProject/jans/blob/main/jans-core/script/src/main/java/io/jans/model/custom/script/type/authz/ConsentGatheringType.java) interface. This extends methods from the base script type in addition to adding new methods:
@@ -65,7 +67,7 @@ class ConsentGathering(ConsentGatheringType):
65
67
return11
66
68
67
69
# All user entered values can be access via Map<String, String> context.getPageAttributes()
68
-
defauthorize(self, step, context):
70
+
defauthorize(self, step, context):
69
71
print"Consent-Gathering. Authorizing..."
70
72
71
73
if step ==1:
@@ -95,7 +97,7 @@ class ConsentGathering(ConsentGatheringType):
95
97
96
98
if step ==2:
97
99
pageAttributes = context.getPageAttributes()
98
-
100
+
99
101
# Generate random consent gathering request
100
102
consentRequest ="Requested transaction #%s approval for the amount of sum $ %s.00"% ( random.randint(100000, 1000000), random.randint(1, 100) )
Copy file name to clipboardExpand all lines: docs/admin/developer/scripts/person-authentication-interface.md
+113-98
Original file line number
Diff line number
Diff line change
@@ -5,113 +5,128 @@ tags:
5
5
- scripts
6
6
---
7
7
8
-
9
-
10
8
## Person Authentication interface
11
9
The **[PersonAuthenticationType](https://github.com/JanssenProject/jans/blob/main/jans-core/script/src/main/java/io/jans/model/custom/script/type/auth/PersonAuthenticationType.java)** script is described by a java interface whose methods should be overridden to implement an authentication workflow.
12
10
13
-
### Methods to override:
14
-
1.`init(self, customScript, configurationAttributes)` : This method is only called once during the script initialization (or jans-auth service restarts). It can be used for global script initialization, initiate objects etc.
15
-
```
11
+
### Inherited Methods
12
+
| Method header | Method description |
13
+
|:-----|:------|
14
+
|`def init(self, customScript, configurationAttributes)`| This method is only called once during the script initialization. It can be used for global script initialization, initiate objects etc |
15
+
|`def destroy(self, configurationAttributes)`| This method is called once to destroy events. It can be used to free resource and objects created in the `init()` method |
16
+
|`def getApiVersion(self, configurationAttributes, customScript)`| The getApiVersion method allows API changes in order to do transparent migration from an old script to a new API. Only include the customScript variable if the value for getApiVersion is greater than 10 |
17
+
18
+
#### Objects
19
+
| Object name | Object description |
20
+
|:-----|:------|
21
+
|`customScript`| The custom script object. [Reference](https://github.com/JanssenProject/jans/blob/main/jans-core/script/src/main/java/io/jans/model/custom/script/model/CustomScript.java)|
22
+
|`configurationAttributes`|`configurationProperties` passed in when adding custom script. `Map<String, SimpleCustomProperty> configurationAttributes`|
23
+
|`SimpleCustomProperty`| Map of configuration properties. [Reference](https://github.com/JanssenProject/jans/blob/main/jans-core/util/src/main/java/io/jans/model/SimpleCustomProperty.java)|
2.`destroy(self, configurationAttributes)` : This method is called when a custom script fails to initialize or upon jans-auth service restarts. It can be used to free resource and objects created in the init() method
24
-
```
34
+
```
25
35
def destroy(self, configurationAttributes):
26
-
print "OTP. Destroy"
36
+
print "ACR_NAME. Destroy"
27
37
# cleanup code here
28
38
return True
29
-
```
30
-
31
-
3.` authenticate(self, configurationAttributes, requestParameters, step)` : The most important method which will encapsulate the logic for user credential verification / validation
4.`prepareForStep(self, configurationAttributes, requestParameters, step)` : This method can be used to prepare variables needed to render the UI page and store them in a suitable context.
5.`getExtraParametersForStep` : Used to save session variables between steps. The Jans-auth Server persists these variables to support stateless, two-step authentications even in a clustered environment.
6.`getCountAuthenticationSteps`: This method normally just returns 1, 2, or 3. In some cases, depending on the context like based on the user's country or department, you can decide to go for multistep or single step authentication.
# Used to specify the page you want to return for a given step
74
-
if (step == 1):
75
-
return "/auth/login.xhtml"
76
-
if (step == 2)
77
-
return "/auth/enterOTP.xhtml"
78
-
```
79
-
8.`getNextStep` : Steps usually go incrementally as 1, 2, 3... unless you specify a case where it can be reset to a previous step, or skip a particular step based on business case.
# steps usually are incremented 1, 2, 3... unless you specify a case where it can be reset to a previous step, or skip a particular step based on
83
-
business case.
84
-
return -1
85
-
```
86
-
9.`getAuthenticationMethodClaims` : Array of strings that are identifiers for authentication methods used in the authentication. In OpenID Connect, if the identity provider supplies an "amr" claim in the ID Token resulting from a successful authentication, the relying party can inspect the values returned and thereby learn details about how the authentication was performed.
10.`getApiVersion` : This value is currently meant to be hardcoded to 11
92
-
93
-
```
94
-
def getApiVersion(self):
95
-
return 11
96
-
```
97
-
11.`isValidAuthenticationMethod` : This method is used to check if the authentication method is in a valid state. For example we can check there if a 3rd party mechanism is available to authenticate users. As a result it should either return True or False.
12. `getAlternativeAuthenticationMethod` : This method is called only if the current authentication method is in an invalid state. Hence authenticator calls it only if isValidAuthenticationMethod returns False. As a result it should return the reserved authentication method name.
13. `getLogoutExternalUrl` : Returns the 3rd-party URL that is used to end session routines. The control from this Third party URL should re-direct user back to /oxauth/logout.htm again with empty URL query string. Jans-Auth server will then continue of the extended logout flow, restore the original URL query string, and send user to `/jans-auth/end_session` to complete it.
14. `logout` : This method is not mandatory. It can be used in cases when you need to execute specific logout logic in the authentication script when jans-auth receives an end session request to the /oxauth/logout.htm endpoint (which receives the same set of parameters than the usual end_session endpoint). This method should return True or False; when False jans-auth stops processing the end session request workflow.
|1.|`prepareForStep(self, configurationAttributes, requestParameters, step)`| This method can be used to prepare variables needed to render the UI page and store them in a suitable context.|
50
+
|2.|` authenticate(self, configurationAttributes, requestParameters, step)`| The most important method which will encapsulate the logic for user credential verification / validation|
51
+
|3.|`getExtraParametersForStep`| Used to save session variables between steps. The Jans-auth Server persists these variables to support stateless, two-step authentications even in a clustered environment.|
52
+
|4.|`getCountAuthenticationSteps`| This method normally just returns 1, 2, or 3. In some cases, depending on the context like based on the user's country or department, you can decide to go for multistep or single step authentication.|
53
+
|5.|`getPageForStep`| Used to specify the UI page you want to show for a given step.|
54
+
|6.|`getNextStep`| Steps usually go incrementally as 1, 2, 3... unless you specify a case where it can be reset to a previous step, or skip a particular step based on business case.|
55
+
|7.|`getAuthenticationMethodClaims`| Array of strings that are identifiers for authentication methods used in the authentication. In OpenID Connect, if the identity provider supplies an "amr" claim in the ID Token resulting from a successful authentication, the relying party can inspect the values returned and thereby learn details about how the authentication was performed.|
56
+
|8.|`isValidAuthenticationMethod`| This method is used to check if the authentication method is in a valid state. For example we can check there if a 3rd party mechanism is available to authenticate users. As a result it should either return True or False.|
57
+
|9.|`getAlternativeAuthenticationMethod`| This method is called only if the current authentication method is in an invalid state. Hence authenticator calls it only if isValidAuthenticationMethod returns False. As a result it should return the reserved authentication method name.|
58
+
|10. `getLogoutExternalUrl`| Returns the 3rd-party URL that is used to end session routines. The control from this Third party URL should re-direct user back to /oxauth/logout.htm again with empty URL query string. Jans-Auth server will then continue of the extended logout flow, restore the original URL query string, and send user to `/jans-auth/end_session` to complete it.|
59
+
|11. `logout`| This method is not mandatory. It can be used in cases when you need to execute specific logout logic in the authentication script when jans-auth receives an end session request to the /oxauth/logout.htm endpoint (which receives the same set of parameters than the usual end_session endpoint). This method should return True or False; when False jans-auth stops processing the end session request workflow.|
60
+
61
+
#### Objects
62
+
| Object name | Object description |
63
+
|:-----|:------|
64
+
|`configurationAttributes`|`configurationProperties` passed in when adding custom script. `Map<String, SimpleCustomProperty> configurationAttributes`|
65
+
|`SimpleCustomProperty`| Map of configuration properties. [Reference](https://github.com/JanssenProject/jans/blob/main/jans-core/util/src/main/java/io/jans/model/SimpleCustomProperty.java)|
# steps usually are incremented 1, 2, 3... unless you specify a case where it can be reset to a previous step, or skip a particular step based on business case.
0 commit comments