/* * Copyright 2025 Hirokazu Kobayashi * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.idp.server.core.openid.authentication; import java.time.LocalDateTime; import java.util.HashMap; import java.util.List; import java.util.Map; import org.idp.server.core.openid.authentication.acr.AcrResolver; import org.idp.server.core.openid.authentication.evaluator.MfaConditionEvaluator; import org.idp.server.core.openid.authentication.loa.LoaDeniedScopeResolver; import org.idp.server.core.openid.authentication.policy.AuthenticationPolicy; import org.idp.server.core.openid.authentication.policy.AuthenticationResultConditionConfig; import org.idp.server.core.openid.authentication.policy.AuthenticationStepDefinition; import org.idp.server.core.openid.federation.FederationInteractionResult; import org.idp.server.core.openid.identity.User; import org.idp.server.core.openid.identity.device.AuthenticationDevice; import org.idp.server.core.openid.oauth.type.AuthFlow; import org.idp.server.platform.date.SystemDateTime; import org.idp.server.platform.exception.BadRequestException; public class AuthenticationTransaction { AuthenticationTransactionIdentifier identifier; AuthorizationIdentifier authorizationIdentifier; AuthenticationRequest request; AuthenticationPolicy authenticationPolicy; AuthenticationInteractionResults interactionResults; AuthenticationTransactionAttributes attributes; public AuthenticationTransaction() {} public AuthenticationTransaction( AuthenticationTransactionIdentifier identifier, AuthorizationIdentifier authorizationIdentifier, AuthenticationRequest request, AuthenticationPolicy authenticationPolicy, AuthenticationTransactionAttributes attributes) { this( identifier, authorizationIdentifier, request, authenticationPolicy, new AuthenticationInteractionResults(), attributes); } public AuthenticationTransaction( AuthenticationTransactionIdentifier identifier, AuthorizationIdentifier authorizationIdentifier, AuthenticationRequest request, AuthenticationPolicy authenticationPolicy, AuthenticationInteractionResults interactionResults, AuthenticationTransactionAttributes attributes) { this.identifier = identifier; this.authorizationIdentifier = authorizationIdentifier; this.request = request; this.authenticationPolicy = authenticationPolicy; this.interactionResults = interactionResults; this.attributes = attributes; } public AuthenticationTransaction updateWith( AuthenticationInteractionRequestResult interactionRequestResult) { Map resultMap = interactionResults.toMap(); AuthenticationRequest updatedRequest = updateWithUser(interactionRequestResult); if (interactionResults.contains(interactionRequestResult.interactionTypeName())) { AuthenticationInteractionResult foundResult = interactionResults.get(interactionRequestResult.interactionTypeName()); AuthenticationInteractionResult updatedInteraction = foundResult.updateWith(interactionRequestResult); resultMap.remove(interactionRequestResult.interactionTypeName()); resultMap.put(interactionRequestResult.interactionTypeName(), updatedInteraction); } else { String operationType = interactionRequestResult.operationType().name(); String method = interactionRequestResult.method(); int successCount = interactionRequestResult.isSuccess() ? 1 : 0; int failureCount = interactionRequestResult.isSuccess() ? 0 : 1; LocalDateTime interactionTime = SystemDateTime.now(); AuthenticationInteractionResult result = new AuthenticationInteractionResult( operationType, method, 1, successCount, failureCount, interactionTime); resultMap.put(interactionRequestResult.interactionTypeName(), result); } AuthenticationInteractionResults updatedResults = new AuthenticationInteractionResults(resultMap); return new AuthenticationTransaction( identifier, authorizationIdentifier, updatedRequest, authenticationPolicy, updatedResults, attributes); } /** * Updates the authentication request with user information from the interaction result. * *

Issue #1021: User is only added to the transaction when: * *

* *

This prevents transaction pollution on failure (PR #973) and ensures that users are only * committed to the transaction after successful authentication, not during the challenge phase. * * @param interactionRequestResult the authentication interaction result * @return the updated authentication request */ private AuthenticationRequest updateWithUser( AuthenticationInteractionRequestResult interactionRequestResult) { // No user in result - keep request unchanged if (!interactionRequestResult.hasUser()) { return request; } // Issue #1021: Don't add user on failure (prevents transaction pollution - PR #973) if (!interactionRequestResult.isSuccess()) { return request; } // Issue #1021: Challenge phase = user not yet verified, don't add to transaction if (interactionRequestResult.operationType().isChallenge()) { return request; } // Authentication success - add user to transaction if (!request.hasUser()) { return request.updateWithUser(interactionRequestResult); } if (!request.isSameUser(interactionRequestResult.user())) { throw new BadRequestException("User is not the same as the request"); } return request; } public AuthenticationTransaction updateWith(FederationInteractionResult result) { Map resultMap = interactionResults.toMap(); AuthenticationRequest updatedRequest = request.updateWithUser(result); if (interactionResults.contains(result.interactionTypeName())) { AuthenticationInteractionResult foundResult = interactionResults.get(result.interactionTypeName()); AuthenticationInteractionResult updatedInteraction = foundResult.updateWith(result); resultMap.remove(result.interactionTypeName()); resultMap.put(result.interactionTypeName(), updatedInteraction); } else { String operationType = OperationType.AUTHENTICATION.name(); String method = result.ssoProvider().name(); int successCount = result.isSuccess() ? 1 : 0; int failureCount = result.isSuccess() ? 0 : 1; LocalDateTime interactionTime = SystemDateTime.now(); AuthenticationInteractionResult authenticationInteractionResult = new AuthenticationInteractionResult( operationType, method, 1, successCount, failureCount, interactionTime); resultMap.put(result.interactionTypeName(), authenticationInteractionResult); } AuthenticationInteractionResults updatedResults = new AuthenticationInteractionResults(resultMap); return new AuthenticationTransaction( identifier, authorizationIdentifier, updatedRequest, authenticationPolicy, updatedResults, attributes); } public AuthenticationTransactionIdentifier identifier() { return identifier; } public AuthorizationIdentifier authorizationIdentifier() { return authorizationIdentifier; } public AuthFlow flow() { return request.authFlow(); } public AuthenticationRequest request() { return request; } public AuthenticationDevice authenticationDevice() { return request.authenticationDevice(); } public User user() { if (request.hasUser()) { return request.user(); } return User.notFound(); } public AuthenticationInteractionResults interactionResults() { return interactionResults; } public Map interactionResultsAsMapObject() { return interactionResults.toMapAsObject(); } public Map toRequestMap() { return toRequestMap(true); } /** * Converts this transaction to a map for public API response. * * @param isDeviceAuthenticated true if device authentication was successfully performed * @return map representation for public API response */ public Map toRequestMap(boolean isDeviceAuthenticated) { Map map = new HashMap<>(); map.put("id", identifier.value()); map.putAll(request.toMapForPublic(isDeviceAuthenticated)); return map; } public boolean hasAuthenticationPolicy() { return authenticationPolicy != null && authenticationPolicy.exists(); } public AuthenticationPolicy authenticationPolicy() { return authenticationPolicy; } public boolean isSuccess() { if (hasAuthenticationPolicy()) { AuthenticationResultConditionConfig authenticationResultConditionConfig = authenticationPolicy.successConditions(); return MfaConditionEvaluator.isSuccessSatisfied( authenticationResultConditionConfig, interactionResults); } return interactionResults.containsAnySuccess(); } public boolean isFailure() { if (hasAuthenticationPolicy()) { AuthenticationResultConditionConfig authenticationResultConditionConfig = authenticationPolicy.failureConditions(); return MfaConditionEvaluator.isFailureSatisfied( authenticationResultConditionConfig, interactionResults); } return interactionResults.containsDenyInteraction(); } public boolean isLocked() { if (hasAuthenticationPolicy()) { AuthenticationResultConditionConfig authenticationResultConditionConfig = authenticationPolicy.lockConditions(); return MfaConditionEvaluator.isLockedSatisfied( authenticationResultConditionConfig, interactionResults); } return false; } public boolean isComplete() { return isSuccess() || isFailure() || isLocked(); } public boolean exists() { return identifier != null && identifier.exists(); } public boolean hasInteractions() { return interactionResults != null && interactionResults.exists(); } public boolean hasUser() { return request.hasUser(); } public boolean hasAuthenticationDevice() { return request.hasAuthenticationDevice(); } public AuthenticationContext requestContext() { return request.context(); } public AuthenticationTransactionAttributes attributes() { return attributes; } public boolean hasAttributes() { return attributes != null && attributes.exists(); } public Authentication authentication() { if (!isSuccess()) { return new Authentication(); } LocalDateTime time = interactionResults.authenticationTime(); List methods = interactionResults.authenticationMethods(); String acr = AcrResolver.resolve(authenticationPolicy.acrMappingRules(), methods); return new Authentication().setTime(time).addMethods(methods).addAcr(acr); } public List deniedScopes() { Map> levelOfAuthenticationScopes = authenticationPolicy.levelOfAuthenticationScopes(); List methods = interactionResults.authenticationMethods(); return LoaDeniedScopeResolver.resolve(levelOfAuthenticationScopes, methods); } public boolean hasAuthorizationIdentifier() { return authorizationIdentifier != null && authorizationIdentifier.exists(); } public AuthenticationStepDefinition getCurrentStepDefinition(String method) { if (!hasAuthenticationPolicy()) { return null; } if (!authenticationPolicy.hasStepDefinitions()) { return null; } for (AuthenticationStepDefinition step : authenticationPolicy.stepDefinitions()) { if (method.equals(step.authenticationMethod())) { return step; } } return null; } /** * Gets the authentication session ID bound to this transaction. * * @return AuthSessionId for browser session binding, or empty AuthSessionId if not bound */ public AuthSessionId authSessionId() { if (hasAttributes()) { return attributes.authSessionId(); } return new AuthSessionId(); } /** * Checks if this transaction has an authentication session binding. * * @return true if authSessionId is present */ public boolean hasAuthSessionId() { return hasAttributes() && attributes.hasAuthSessionId(); } }