JanssenProject · yuriyz · Mar 7, 2024 · Mar 6, 2024 · Mar 6, 2024 · Mar 7, 2024
diff --git a/docs/admin/auth-server/endpoints/authorization-challenge.md b/docs/admin/auth-server/endpoints/authorization-challenge.md
@@ -152,6 +152,29 @@ deviceSessionObject.getAttributes().getAttributes().put("client_id", clientId);
 
 Full sample script can be found [here](../../../script-catalog/authorization_challenge/AuthorizationChallenge.java)
 
+## Web session
+
+Authorization challenge script is first-party flow and thus web session is not created by default. 
+However there can be cases when such session has to be created. Please set **authorizationChallengeShouldGenerateSession** configuration property to **true**
+to force session creation. 
+
+In case it is needed to prepare session with specific data, it is possible to create session
+in script and set it into context. Example:
+
+```java
+SessionIdService sessionIdService = CdiUtil.bean(SessionIdService.class);
+Identity identityService = CdiUtil.bean(Identity.class);
+
+Map<String, String> sessionStore = new HashMap<String, String>();
+sessionStore.put("login_id_token",login_id_token);
+sessionStore.put("login_access_token",login_access_token);
+sessionStore.put("transaction_status","PENDING");
+SessionId sessionId = sessionIdService.generateAuthenticatedSessionId(context.getHttpRequest(), user.getDn(), sessionStore);
+
+context.getExecutionContext().setAuthorizationChallengeSessionId(sessionId);
+scriptLogger.trace("Created Authorization challenge session successfully");
+``` 
+
 ## Multi-step example
 
 Sometimes it's required to send data sequentially. Step by step. Calls to Authorization Challenge Endpoint must have 

@@ -153,6 +153,7 @@ public Response authorize(AuthzRequest authzRequest) throws IOException, TokenBi
         authorizeRestWebServiceValidator.validateAuthorizationDetails(authzRequest, client);
 
         final ExecutionContext executionContext = ExecutionContext.of(authzRequest);
+        executionContext.setSessionId(sessionUser);
 
         if (user == null) {
             log.trace("Executing external authentication challenge");
@@ -168,9 +169,9 @@ public Response authorize(AuthzRequest authzRequest) throws IOException, TokenBi
 
             user = executionContext.getUser() != null ? executionContext.getUser() : new User();
 
-            // generate session if not exist and if allowed by config
-            if (sessionUser == null) {
-                sessionUser = generateAuthenticateSessionWithCookie(authzRequest, user);
+            // generate session if not exist and if allowed by config (or if session is prepared by script)
+            if (sessionUser == null || executionContext.getAuthorizationChallengeSessionId() != null) {
+                sessionUser = generateAuthenticateSessionWithCookieIfNeeded(authzRequest, user, executionContext.getAuthorizationChallengeSessionId());
             }
         }
 
@@ -194,16 +195,24 @@ public Response authorize(AuthzRequest authzRequest) throws IOException, TokenBi
         return createSuccessfulResponse(authorizationCode);
     }
 
-    private SessionId generateAuthenticateSessionWithCookie(AuthzRequest authzRequest, User user) {
+    private SessionId generateAuthenticateSessionWithCookieIfNeeded(AuthzRequest authzRequest, User user, SessionId scriptGeneratedSession) {
         if (user == null) {
             log.trace("Skip session_id generation because user is null");
             return null;
         }
+
         if (isFalse(appConfiguration.getAuthorizationChallengeShouldGenerateSession())) {
             log.trace("Skip session_id generation because it's not allowed by AS configuration ('authorizationChallengeShouldGenerateSession=false')");
             return null;
         }
 
+        if (scriptGeneratedSession != null) {
+            log.trace("Authorization Challenge script generated session: {}.", scriptGeneratedSession.getId());
+            cookieService.createSessionIdCookie(scriptGeneratedSession, authzRequest.getHttpRequest(), authzRequest.getHttpResponse(), false);
+            log.trace("Created cookie for authorization Challenge script generated session: {}.", scriptGeneratedSession.getId());
+            return scriptGeneratedSession;
+        }
+
         Map<String, String> genericRequestMap = getGenericRequestMap(authzRequest.getHttpRequest());
 
         Map<String, String> parameterMap = Maps.newHashMap(genericRequestMap);

@@ -44,6 +44,7 @@ public class ExecutionContext {
 
     private SessionId sessionId;
     private List<SessionId> currentSessions;
+    private SessionId authorizationChallengeSessionId;
 
     private AuthzRequest authzRequest;
     private AuthzDetails authzDetails;
@@ -127,6 +128,7 @@ public static ExecutionContext of(ExecutionContext context) {
         executionContext.user = context.user;
         executionContext.sessionId = context.sessionId;
         executionContext.currentSessions = context.currentSessions;
+        executionContext.authorizationChallengeSessionId = context.authorizationChallengeSessionId;
         executionContext.authzRequest = context.authzRequest;
         executionContext.authzDetails = context.authzDetails;
         executionContext.authzDetail = context.authzDetail;
@@ -192,6 +194,14 @@ public void setUser(User user) {
         this.user = user;
     }
 
+    public SessionId getAuthorizationChallengeSessionId() {
+        return authorizationChallengeSessionId;
+    }
+
+    public void setAuthorizationChallengeSessionId(SessionId authorizationChallengeSessionId) {
+        this.authorizationChallengeSessionId = authorizationChallengeSessionId;
+    }
+
     public List<SessionId> getCurrentSessions() {
         return currentSessions;
     }