Enhance API response customizability for locked user accounts

components/org.wso2.carbon.identity.auth.service/pom.xml

@@ -66,6 +66,10 @@
             <groupId>org.wso2.carbon.identity.organization.management.core</groupId>
             <artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wso2.carbon.identity.event.handler.accountlock</groupId>
+            <artifactId>org.wso2.carbon.identity.handler.event.account.lock</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.testng</groupId>
             <artifactId>testng</artifactId>
@@ -197,7 +201,9 @@
                             org.wso2.carbon.identity.oauth2.*;
                             version="${org.wso2.carbon.identity.oauth.import.version.range}",
                             org.wso2.carbon.identity.organization.management.service; version="${org.wso2.carbon.identity.organization.management.core.version.range}",
-                            org.wso2.carbon.identity.organization.management.service.exception; version="${org.wso2.carbon.identity.organization.management.core.version.range}"
+                            org.wso2.carbon.identity.organization.management.service.exception; version="${org.wso2.carbon.identity.organization.management.core.version.range}",
+                            org.wso2.carbon.identity.handler.event.account.lock.exception;
+                            version="${identity.event.handler.account.lock.version.range}",
                         </Import-Package>
                         <Export-Package>
                             !org.wso2.carbon.identity.auth.service.internal,

components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/exception/AuthenticationFailException.java

@@ -1,6 +1,9 @@
 package org.wso2.carbon.identity.auth.service.exception;
 
 public class AuthenticationFailException extends Exception{
+
+    private String errorCode;
+
     public AuthenticationFailException() {
         super();
     }
@@ -17,8 +20,19 @@ public AuthenticationFailException(Throwable cause) {
         super(cause);
     }
 
+    public AuthenticationFailException(String errorCode, String message) {
+
+        super(message);
+        this.errorCode = errorCode;
+    }
+
     protected AuthenticationFailException(String message, Throwable cause, boolean enableSuppression, boolean
             writableStackTrace) {
         super(message, cause, enableSuppression, writableStackTrace);
     }
+
+    public String getErrorCode() {
+
+        return errorCode;
+    }
 }

components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/exception/AuthenticationFailServerException.java

@@ -41,4 +41,9 @@ public AuthenticationFailServerException(Throwable cause) {
 
         super(cause);
     }
+
+    public AuthenticationFailServerException(String errorCode, String message) {
+
+        super(errorCode, message);
+    }
 }

components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/impl/BasicAuthenticationHandler.java

@@ -49,6 +49,7 @@
 
 import java.nio.charset.Charset;
 
+import org.wso2.carbon.identity.handler.event.account.lock.exception.AccountLockException;
 import static org.wso2.carbon.identity.auth.service.util.AuthConfigurationUtil.isAuthHeaderMatch;
 
 /**
@@ -207,6 +208,13 @@ providing a Level of Assurance (LOA) and checking that in the TOTP and FIDO2 ser
                 } catch (org.wso2.carbon.user.api.UserStoreException | OrganizationManagementException e) {
                     String errorMessage = "Error occurred while trying to authenticate. " + e.getMessage();
                     log.error(errorMessage);
+
+                    Throwable cause = e.getCause();
+                    if (cause instanceof AccountLockException) {
+                        String errorCode = ((AccountLockException) cause).getErrorCode();
+                        throw new AuthenticationFailException(errorCode, errorMessage);
+                    }
+
                     throw new AuthenticationFailServerException(errorMessage);
                 }
             } else {

components/org.wso2.carbon.identity.auth.valve/pom.xml

@@ -229,7 +229,8 @@
                             org.wso2.carbon.identity.oauth.dao;version="${org.wso2.carbon.identity.oauth.import.version.range}",
                             org.wso2.carbon.identity.oauth2;version="${org.wso2.carbon.identity.oauth.import.version.range}",
                             org.wso2.carbon.identity.oauth2.client.authentication;version="${org.wso2.carbon.identity.oauth.import.version.range}",
-                            org.wso2.carbon.identity.oauth2.util;version="${org.wso2.carbon.identity.oauth.import.version.range}"
+                            org.wso2.carbon.identity.oauth2.util;version="${org.wso2.carbon.identity.oauth.import.version.range}",
+                            org.wso2.carbon.identity.base; version="${carbon.identity.package.import.version.range}",
                         </Import-Package>
                         <Export-Package>org.wso2.carbon.identity.auth.valve.*;
                             version="${org.wso2.carbon.identity.auth.valve.version}"

components/org.wso2.carbon.identity.auth.valve/src/main/java/org/wso2/carbon/identity/auth/valve/AuthenticationValve.java

@@ -157,7 +157,7 @@ public void invoke(Request request, Response response) throws IOException, Servl
             APIErrorResponseHandler.handleErrorResponse(authenticationContext, response,
                     HttpServletResponse.SC_SERVICE_UNAVAILABLE, e);
         } catch (AuthenticationFailException e) {
-            APIErrorResponseHandler.handleErrorResponse(authenticationContext, response,
+            APIErrorResponseHandler.handleAuthenticationFailErrorResponse(authenticationContext, response,
                     HttpServletResponse.SC_UNAUTHORIZED, e);
         } catch (AuthRuntimeException e) {
             log.error("Auth Runtime Exception occurred in Authentication valve :", e);

components/org.wso2.carbon.identity.auth.valve/src/main/java/org/wso2/carbon/identity/auth/valve/util/APIErrorResponseHandler.java

@@ -24,13 +24,17 @@
 import org.json.JSONObject;
 import org.wso2.carbon.base.ServerConfiguration;
 import org.wso2.carbon.identity.auth.service.AuthenticationContext;
+import org.wso2.carbon.identity.auth.service.exception.AuthenticationFailException;
+import org.wso2.carbon.identity.base.IdentityConstants;
 import org.wso2.carbon.identity.core.util.IdentityUtil;
 
 import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 
 import org.slf4j.MDC;
 
+import static org.wso2.carbon.identity.core.util.IdentityCoreConstants.USER_ACCOUNT_LOCKED_ERROR_CODE;
+
 /**
  * APIErrorResponseHandler handles the authentications and authorizations error responses.
  */
@@ -39,6 +43,8 @@ public class APIErrorResponseHandler {
     private static final Log log = LogFactory.getLog(APIErrorResponseHandler.class);
 
     private static final String AUTH_HEADER_NAME = "WWW-Authenticate";
+    private static final String AUTH_FAILURE_REASON = "Auth-Failure-Reason";
+    private static final String AUTH_FAILURE_REASON_ACCOUNT_LOCKED = "account locked";
     private static final String CORRELATION_ID_MDC = "Correlation-ID";
     private static final String BAD_REQUEST_ERROR_MSG = "Your client has issued a malformed or illegal request.";
     private static final String UNAUTHORIZED_ERROR_MSG = "Authorization failure. Authorization information was" +
@@ -85,6 +91,18 @@ public static void handleErrorResponse(AuthenticationContext authenticationConte
         }
     }
 
+    public static void handleAuthenticationFailErrorResponse(AuthenticationContext authenticationContext, Response response,
+                                                       int error, AuthenticationFailException e) throws IOException {
+
+        if (e != null && e.getErrorCode() != null &&
+                USER_ACCOUNT_LOCKED_ERROR_CODE.equals(e.getErrorCode().split(":")[0]) && Boolean.parseBoolean(
+                IdentityUtil.getProperty(IdentityConstants.APIResponse.SET_ACCOUNT_LOCK_AUTH_FAILURE_REASON))) {
+            response.setHeader(AUTH_FAILURE_REASON, AUTH_FAILURE_REASON_ACCOUNT_LOCKED);
+        }
+
+        handleErrorResponse(authenticationContext, response, error, e);
+    }
+
     private static String removeTenantDetailFromURI(String uri) {
         if (uri.startsWith("/t")) {
             String[] uriSplit = uri.split("/");

pom.xml

@@ -172,6 +172,11 @@
                 <artifactId>org.wso2.carbon.identity.organization.management.service</artifactId>
                 <version>${org.wso2.carbon.identity.organization.management.core.version}</version>
             </dependency>
+            <dependency>
+                <groupId>org.wso2.carbon.identity.event.handler.accountlock</groupId>
+                <artifactId>org.wso2.carbon.identity.handler.event.account.lock</artifactId>
+                <version>${identity.event.handler.account.lock.version}</version>
+            </dependency>
             <dependency>
                 <groupId>org.testng</groupId>
                 <artifactId>testng</artifactId>
@@ -345,7 +350,7 @@
         <org.wso2.carbon.identity.cors.valve.version>${project.version}</org.wso2.carbon.identity.cors.valve.version>
 
         <!--Carbon identity version-->
-        <identity.framework.version>5.25.405</identity.framework.version>
+        <identity.framework.version>5.25.652</identity.framework.version>
         <carbon.identity.package.import.version.range>[5.17.8, 7.0.0)</carbon.identity.package.import.version.range>
 
         <org.wso2.carbon.identity.oauth.version>6.11.168</org.wso2.carbon.identity.oauth.version>
@@ -385,6 +390,10 @@
         <axiom.wso2.version>1.2.11-wso2v16</axiom.wso2.version>
         <axiom.osgi.version.range>[1.2.11, 2.0.0)</axiom.osgi.version.range>
 
+        <!-- Identity Event Handler Versions -->
+        <identity.event.handler.account.lock.version>1.8.13</identity.event.handler.account.lock.version>
+        <identity.event.handler.account.lock.version.range>[1.8.13, 2.0.0)</identity.event.handler.account.lock.version.range>
+
         <!-- Commons Version -->
         <commons-logging.version>1.2</commons-logging.version>
         <commons-logging.osgi.version.range>[1.2.0, 2.0.0)</commons-logging.osgi.version.range>