fix(jans-auth): User Lookup by jansExtUid fails.

[tawaren]

Describe the bug
I use the io.jans.model.user.authenticator.UserAuthenticator to manage alternative ids and additional attributes required by my person authentication scripts. I have the folloing two code snippets:

UserAuthenticator auth = userAuthService.getUserAuthenticatorById(user, deviceId);
if(auth == null) {
    auth = userAuthService.createUserAuthenticator(deviceId, DEVICE_BOUND_AUTH, Map.of(DEVICE_BIND_TIME, encBindDate));
    userAuthService.addUserAuthenticator(user, auth);
} else {
    auth.addCustom(DEVICE_BIND_TIME, encBindDate);
}
user = userService.updateUser(user);

String jansExtUid = userAuthService.formatExternalUid(deviceId, DEVICE_BOUND_AUTH);
User user = userService.getUserByAttribute("jansExtUid", jansExtUid); 

Since recently I get null from userService.getUserByAttribute("jansExtUid", jansExtUid). If I fetch the user otherwise I can confirm that getExternalUid() and getAuthenticator() return the expected values.

Expected behavior
I can fetch users over userService.getUserByAttribute("jansExtUid", jansExtUid) which have a corresponding UserAuthenticator set

Janssen Version:
The problem appeared in both 1.1.5-1 and 1.1.6_dev

Additional context
This approach is described and recommended under docs/script-catalog/person_authentication/person-authentication.md
It worked for me for quite a while and then sudenly stopped working.

[yuriyz]

We should ask @yurem

[tawaren]

To reproduce it easier I written a function that can be placed in any interception script or elsewhere and then be called.
(it just uses an authenticator without custom attributes and looks up the user immediately after updating it)

private void testJansExtUidLookup(User testUser) {
    log.debug("Executing lookup by authenticator test for user {} ",testUser.getUserId());

    UserAuthenticatorService userAuthService = CdiUtil.bean(UserAuthenticatorService.class);
    UserService userService = CdiUtil.bean(UserService.class);

    String someId = "1234567890";
    UserAuthenticator auth = userAuthService.getUserAuthenticatorById(testUser, someId);
    if(auth == null) {
        auth = userAuthService.createUserAuthenticator(someId, "test");
        userAuthService.addUserAuthenticator(testUser, auth);
    }
    testUser = userService.updateUser(testUser);
    String jansExtUid = userAuthService.formatExternalUid(someId, "test");
    User user = userService.getUserByAttribute("jansExtUid", jansExtUid);

    if(user == null) {
        log.debug("Looking up user by jansExtUid failed, user was not found");
        return;
    }

    if(testUser.equals(user)){
        log.debug("Looking up user by jansExtUid succeeded");
        return;
    }
    
    log.debug("Looking up user by jansExtUid resulted in an unexpected user, id was {} instead of expected {}", user,testUser);
}

It assumes that their is a static logger named log and everything is imported correctly
Then it can be called with an existing user from that script. Static user example:

UserService userService = CdiUtil.bean(UserService.class);
String someExistingUser = "admin";
testJansExtUidLookup(userService.getUser(someExistingUser));

I called it from a UpdateTokenType and a PersonAuthenticationType script and got the following in the jans-auth_script.log

Executing lookup by authenticator test for user admin 
Looking up user by jansExtUid failed, user was not found

and in the jans-auth.log

Getting user information from LDAP: userId = admin
Found 1 entries for user id = admin
Getting user information from LDAP: attributeName = 'jansExtUid', attributeValue = 'test:1234567890'
Found '0' entries

[yurem]

I've checked you sample code and run it. The result is:

2024-10-30 18:22:45,241 DEBUG [qtp1791868405-17] [io.jans.as.server.auth.Authenticator] (Authenticator.java:852) - Executing lookup by authenticator test for user admin
2024-10-30 18:25:40,683 DEBUG [qtp1791868405-17] [io.jans.as.server.auth.Authenticator] (Authenticator.java:873) - Looking up user by jansExtUid succeeded

In PostgreSQL data also looks good:

Which DB are you using?

Can you share jansExtuid and jansAuthenticatgor user attribute values?

[yurem]

According to this ticket we added jansAuthenticator and this affected jansExtUid.
#8158

After implementing this we got compatibility issue which we resolved in #8458 and #8460

[tawaren]

We use MySQL as db.
I will try if I can reproduce the problem with PostgreSQL or if it is connected to MsSQL.
As soon as I'm at work again I can extract and share the attribute values stored in the db.

I do not know if this is relevant but we currently use the monolith as we are still in a development and testing phase.

[tawaren]

I can confirm, that it works with PostgreSQL where I get the expected:

Executing lookup by authenticator test for user admin 
Looking up user by jansExtUid succeeded

With MySQL I get the following for the query SELECT uid, jansExtuid, jansAuthenticator FROM jansPerson WHERE uid = 'admin' after executing testJansExtUidLookup on the admin user in a fresh unmodified setup (except for the interception script used to trigger the call):

uid     jansExtuid     jansAuthenticator
admin   ["test:1234567890"]     [{"1234567890": {"id": "1234567890", "type": "test"}}]

[yurem]

I will check same it with MySQL too

[yurem]

It should work well after merging this PR: #10051
I've found that after recent MySQL DB JSON optimization contains in JSON array stopped working properly.

[yurem]

@tawaren Can you check this issue with MySQL again?

[tawaren]

I can confirm that it now works as intended with mysql.