We are running custom ROPC scripts and at the moment, there is no way of telling the end user, why the script failed and tell them a bit more about that.
For example, we want to create custom error and error_description, conforming to OIDC specs and use following sample in our ROPC script:
exception = context.createWebApplicationException(503,'{"error": "access_denied", "error_description": "User is blacklisted"}')
context.setWebApplicationException(exception)This should send the below response to the end user:
{"error": "access_denied", "error_description": "User is blacklisted"}
with HTTP status code as 503.
For this, we would have to enhance the ExternalResourceOwnerPasswordCredentialsService.java file to have some better Exception handling. At the moment, it does not do anything about the exception, but just saves it in the Script configurations.
https://github.com/JanssenProject/jans/blob/main/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalResourceOwnerPasswordCredentialsService.java#L71
} catch (Exception ex) {
log.error(ex.getMessage(), ex);
saveScriptError(customScriptConfiguration.getCustomScript(), ex);
return false;
}We would like to change it to this:
} catch (WebApplicationException e) {
if (log.isTraceEnabled()) {
log.trace("WebApplicationException from script", e);
}
throw e;
} catch (Exception ex) {
log.error(ex.getMessage(), ex);
saveScriptError(context.getScript().getCustomScript(), ex);
throw new WebApplicationException(errorResponseFactory
.newErrorResponse(Response.Status.INTERNAL_SERVER_ERROR)
.entity(errorResponseFactory.getErrorAsJson(TokenErrorResponseType.ACCESS_DENIED, "", "Unable to run 'executeExternalAuthenticate' method in ROPC script."))
.build());
}In this way, if we are throwing custom WebApplicationException with proper error and error_description then, it will be thrown as it is. Else, if there is any other type of exception, then it shall be converted to WebApplicationException and the error user shall be shown:
{"error":"access_denied","error_description":"The resource owner or authorization server denied the request.","reason":"Unable to run 'executeExternalAuthenticate' method in ROPC script."}
We are running custom ROPC scripts and at the moment, there is no way of telling the end user, why the script failed and tell them a bit more about that.
For example, we want to create custom error and error_description, conforming to OIDC specs and use following sample in our ROPC script:
This should send the below response to the end user:
{"error": "access_denied", "error_description": "User is blacklisted"}
with HTTP status code as 503.
For this, we would have to enhance the ExternalResourceOwnerPasswordCredentialsService.java file to have some better Exception handling. At the moment, it does not do anything about the exception, but just saves it in the Script configurations.
https://github.com/JanssenProject/jans/blob/main/jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalResourceOwnerPasswordCredentialsService.java#L71
We would like to change it to this:
In this way, if we are throwing custom WebApplicationException with proper
erroranderror_descriptionthen, it will be thrown as it is. Else, if there is any other type of exception, then it shall be converted to WebApplicationException and the error user shall be shown:{"error":"access_denied","error_description":"The resource owner or authorization server denied the request.","reason":"Unable to run 'executeExternalAuthenticate' method in ROPC script."}