feat(jans-auth-server): introducing interception script for tx_tokens #8376

[yuriyz]

Description

feat(jans-auth-server): introducing interception script for tx_tokens

Target issue

closes #8376

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

Summary by CodeRabbit

• New Features

  • TX Token generation can be customized via external scripts — scripts may modify token payloads, responses, and override token lifetime.
  • If a script denies creation, requests now return a detailed 403 FORBIDDEN.

• Bug Fixes

  • Flows that previously failed when no external scripts were present (PAR and update-token) now treat empty script sets as successful no-ops.

[mo-auto]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

📝 Walkthrough

You better think twice! Like a wise ol' pigeon droppin' knowledge from up high, I got the scoop on this PR.

Walkthrough

Adds TX token interception support: new TxTokenType API and DummyTxTokenType, TX_TOKEN enum entry, ExternalTxTokenService to run scripts, and integration in TxTokenService to let external scripts modify payloads, responses, and token lifetime (with 403 on script denial).

Changes

Cohort / File(s)	Summary
Script Type Core Definitions jans-core/script/src/main/java/io/jans/model/custom/script/type/token/TxTokenType.java, jans-core/script/src/main/java/io/jans/model/custom/script/type/token/DummyTxTokenType.java, jans-core/script/src/main/java/io/jans/model/custom/script/CustomScriptType.java	Added new TxTokenType interface declaring getTxTokenLifetimeInSeconds, modifyTokenPayload, modifyResponse. Added DummyTxTokenType no-op implementation. Added TX_TOKEN enum constant to CustomScriptType.
External TX Token Service jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalTxTokenService.java	New ExternalTxTokenService extending ExternalScriptService; provides methods to run TxToken scripts: modifyTokenPayload, modifyResponse, getTxTokenLifetimeInSeconds (overloads for script/config variants), with logging, exception propagation/persistence, and short-circuiting semantics.
TX Token Service Integration jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TxTokenService.java	Injected ExternalTxTokenService; changed lifetime resolution to use ExecutionContext; callouts to external scripts to modify payload/response and to obtain lifetime; returns 403 FORBIDDEN when a script denies token creation.
External service behavior adjustments jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalParService.java, jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalUpdateTokenService.java	Changed behavior for empty script sets: methods now treat no-scripts as successful no-op (return true) instead of false.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Pay extra attention to:
  • Exception handling and WebApplicationException propagation in ExternalTxTokenService.
  • Correct propagation of ExecutionContext into script calls and fallback lifetime logic in TxTokenService.
  • Short-circuit behavior when scripts return false (403 generation) and tests covering that path.
  • Consistency of logging and script error persistence with existing External*Service patterns.

Suggested reviewers

• iromli
• jgomer2001
• pujavs

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete. Required sections like 'Implementation Details' are missing, and testing/documentation checkboxes are unchecked without justification.	Fill in the 'Implementation Details' section with high-level analysis, check the appropriate testing/documentation boxes, and confirm whether docs were updated.
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Linked Issues check	❓ Inconclusive	While the code changes implement tx_token interception script functionality, it's unclear if testing and documentation requirements from issue #8376 have been adequately fulfilled.	Verify that unit tests, integration tests, and documentation have been added/updated as required by issue #8376 before merging.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly summarizes the main change: introducing an interception script for tx_tokens in jans-auth-server, which aligns with the changeset.
Out of Scope Changes check	✅ Passed	All code changes align with the objective of introducing tx_token interception scripts. Minor behavior adjustments in ExternalParService and ExternalUpdateTokenService are reasonable supporting changes.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sonarqubecloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'jans-core'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4ffb47a and d194763.

📒 Files selected for processing (5)

• jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalTxTokenService.java (1 hunks)
• jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TxTokenService.java (7 hunks)
• jans-core/script/src/main/java/io/jans/model/custom/script/CustomScriptType.java (1 hunks)
• jans-core/script/src/main/java/io/jans/model/custom/script/type/token/DummyTxTokenType.java (1 hunks)
• jans-core/script/src/main/java/io/jans/model/custom/script/type/token/TxTokenType.java (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (2)

jans-core/script/src/main/java/io/jans/model/custom/script/type/token/DummyTxTokenType.java (1)

terraform-provider-jans/jans/script.go (1)

• SimpleCustomProperty (25-29)

jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalTxTokenService.java (2)

jans-auth-server/server/src/main/java/io/jans/as/server/model/common/ExecutionContext.java (1)

• ExecutionContext (35-483)

jans-link/service/src/main/java/io/jans/link/external/ExternalScriptService.java (1)

• ExternalScriptService (38-186)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: prep-matrix
• GitHub Check: run-tests (MYSQL)
• GitHub Check: run-tests (PGSQL)
• GitHub Check: sonar scan (jans-auth-server)

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalTxTokenService.java (1)

46-60: Past issue resolved—empty-script path now succeeds.

If ya skip the good vibes, I'll say, 'You better think twice!' The past review flagged line 49 for returning false when no scripts are found, but I'm spotting that it now hands back true—exactly right! The default TX token flow can cruise through when scripts ain't configured. I'm ready to have some fun!

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d194763 and e3eeb23.

📒 Files selected for processing (3)

• jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalParService.java (1 hunks)
• jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalTxTokenService.java (1 hunks)
• jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalUpdateTokenService.java (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalTxTokenService.java (2)

jans-auth-server/server/src/main/java/io/jans/as/server/model/common/ExecutionContext.java (1)

• ExecutionContext (35-483)

jans-link/service/src/main/java/io/jans/link/external/ExternalScriptService.java (1)

• ExternalScriptService (38-186)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: run-tests (MYSQL)
• GitHub Check: prep-matrix
• GitHub Check: run-tests (PGSQL)
• GitHub Check: sonar scan (jans-auth-server)

🔇 Additional comments (6)

jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalParService.java (1)

49-63: LGTM! No-script path now succeeds as expected.

Listen up, my friend! Like a wise ol' pigeon, I'm spotting that when no PAR scripts are configured, this method now hands back true instead of blocking the flow. This lets the default PAR behavior cruise right through when scripts ain't present—exactly what we need! Let's get this party rollin'!

jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalUpdateTokenService.java (1)

58-72: LGTM! Empty-script handling now succeeds.

You better think twice before blocking token updates when no scripts are around! This change hands back true when the script basket is empty, so the ID token flow keeps cruisin' with built-in behavior. I'm ready to have some fun with this consistent pattern across all external services!

jans-auth-server/server/src/main/java/io/jans/as/server/service/external/ExternalTxTokenService.java (4)

21-44: LGTM! Constructor and per-script method look solid.

Listen up, my friend! This TX token service constructor and the per-script modifyTokenPayload method follow the wise ol' pigeon pattern we've been using. Script execution, error handling, and WebApplicationException propagation are all cruisin' smoothly. Let's get this party rollin'!

---

62-99: LGTM! Response modification methods follow the pattern.

Like a wise ol' pigeon, I'm spotting that both the per-script and aggregate modifyResponse methods follow the same solid pattern as modifyTokenPayload. Empty-script handling returns true (line 87), error handling is tight, and that extra trace log at line 86 is a nice touch. Let's get this party rollin'!

---

101-136: LGTM! Lifetime methods handle empty scripts appropriately.

Listen up, my friend! The getTxTokenLifetimeInSeconds methods follow the pattern, but rightly return 0 when scripts are empty (line 124) instead of boolean—that's the ticket for integer lifetimes! The loop grabs the first positive lifetime, and the fallback to 0 signals "use default." I'm ready to have some fun with this logic!

---

139-152: LGTM! Script retrieval logic is safe and sound.

You better think twice before calling getClient() without checking! This helper properly guards against null clients at line 140 before dereferencing at line 145. The DNS-based script lookup matches the pattern in PAR and UpdateToken services. Let's get this party rollin'!