Fix authentication flow with custom authentication extension.

Thisara-Welmilla · Feb 3, 2025 · f945489 · f945489
1 parent b78d6ad
commit f945489
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 1 deletion.
diff --git a/...so2/carbon/identity/application/common/model/UserDefinedFederatedAuthenticatorConfig.java b/...so2/carbon/identity/application/common/model/UserDefinedFederatedAuthenticatorConfig.java
@@ -27,7 +27,7 @@
  */
 public class UserDefinedFederatedAuthenticatorConfig extends FederatedAuthenticatorConfig {
 
-    private UserDefinedAuthenticatorEndpointConfig endpointConfig;
+    private transient UserDefinedAuthenticatorEndpointConfig endpointConfig;
 
     public UserDefinedFederatedAuthenticatorConfig() {
 

diff --git a/...n/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java b/...n/identity/application/authentication/framework/handler/step/impl/DefaultStepHandler.java
@@ -663,6 +663,7 @@ protected void handleResponse(HttpServletRequest request, HttpServletResponse re
         boolean isNoneCanHandle = true;
         StepConfig stepConfig = sequenceConfig.getStepMap().get(currentStep);
 
+        handleAuthenticatorResolvingForBasicAuthMechanism(context, stepConfig);
         for (AuthenticatorConfig authenticatorConfig : stepConfig.getAuthenticatorList()) {
             ApplicationAuthenticator authenticator = authenticatorConfig
                     .getApplicationAuthenticator();
@@ -697,6 +698,25 @@ protected void handleResponse(HttpServletRequest request, HttpServletResponse re
         }
     }
 
+    private void handleAuthenticatorResolvingForBasicAuthMechanism(AuthenticationContext context, StepConfig stepConfig) {
+
+        /* When an authenticator with the basic authentication mechanism (such as basic or identifierFirst) is engaged
+        in the authentication flow, the handleRequest method for that authenticator is automatically triggered at the
+        start, setting setCurrentAuthenticator to the corresponding authenticator. However, when the user provides
+        credentials, the handleResponse method is initiated, and from the method handle(HttpServletRequest,
+        HttpServletResponse) in the DefaultRequestCoordinator class setCurrentAuthenticator is reset to null.
+        As a result, when selecting the appropriate authenticator, the system iterates through the list of
+        authenticators in the step and checks if currentAuthenticator is null. This causes the first authenticator in
+        the step to always be selected. To address this, if currentAuthenticator is null and an authenticator with the
+        basic authentication mechanism is present, we set the corresponding authenticator as the current authenticator.
+         */
+        for (AuthenticatorConfig authenticatorConfig : stepConfig.getAuthenticatorList()) {
+            if (BASIC_AUTH_MECHANISM.equals(authenticatorConfig.getApplicationAuthenticator().getAuthMechanism())) {
+                context.setCurrentAuthenticator(authenticatorConfig.getName());
+            }
+        }
+    }
+
     protected void doAuthentication(HttpServletRequest request, HttpServletResponse response,
                                     AuthenticationContext context, AuthenticatorConfig authenticatorConfig)
             throws FrameworkException {