Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-auth-server): added ability to pass authorizationMethodClaims to id_token via AuthorizationChallengeType script #9221 #9250

Merged
merged 3 commits into from
Aug 23, 2024
Merged

feat(jans-auth-server): added ability to pass authorizationMethodClaims to id_token via AuthorizationChallengeType script #9221 #9250

merged 3 commits into from
Aug 23, 2024

Conversation

yuriyz
Copy link
Contributor

@yuriyz yuriyz commented Aug 23, 2024

Description

feat(jans-auth-server): added ability to pass authorizationMethodClaims to id_token via AuthorizationChallengeType script

Target issue

closes #9221

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

@yuriyz
feat(jans-auth-server): added ability to pass authorizationMethodClai…
52876ba 
…ms to id_token via AuthorizationChallengeType script #9221

Signed-off-by: YuriyZ <[email protected]>
@yuriyz yuriyz requested review from yurem and yuriyzz as code owners August 23, 2024 10:30
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Aug 23, 2024
edited
Loading

DryRun Security Summary

The pull request focuses on enhancing the security and functionality of the authorization challenge functionality in the Jans Auth Server application, including the addition of authentication method claims, an external authorization challenge service, improvements to ID token generation, and the use of secure coding practices.

Expand for full summary

Summary:

The code changes in this pull request focus on enhancing the security and functionality of the authorization challenge functionality in the Jans Auth Server application. The key changes include:

  1. Authentication Method Claims: The addition of a new getAuthenticationMethodClaims method to the AuthorizationChallengeType interface allows for the inclusion of additional claims related to the authentication method used during the authorization process. This can be useful for security-related purposes, such as providing more detailed information to the client application or enabling risk-based access control policies.

  2. External Authorization Challenge Service: The introduction of the ExternalAuthorizationChallengeService class, which is responsible for executing external authorization challenge scripts and retrieving the authentication method claims. This helps to ensure that the necessary information is available, even when the external authentication service does not provide it.

  3. ID Token Generation: The changes in the IdTokenFactory class focus on improving the security and compliance of the ID token generation process, including the handling of the AMR claim, claim filtering based on access token issuance, and support for the Client Initiated Backchannel Authentication (CIBA) flow.

  4. Secure Coding Practices: The code changes generally follow secure coding practices, such as proper error handling, input validation, and the use of secure methods and libraries.

Files Changed:

  • AuthorizationChallenge.java: The changes in this file focus on the implementation of the two-step authorization flow, device session management, and the addition of the getAuthenticationMethodClaims method.
  • IdTokenFactory.java: The changes in this file enhance the security and functionality of the ID token generation process, including the handling of the AMR claim, claim filtering, and CIBA support.
  • AuthorizationChallengeType.java: This interface defines the contract for different types of authorization challenges, and the changes introduce the new getAuthenticationMethodClaims method.
  • DummyAuthorizationChallengeType.java: This is a placeholder or sample implementation of the AuthorizationChallengeType interface, and the changes add the getAuthenticationMethodClaims method.
  • ExternalAuthorizationChallengeService.java: This new service is responsible for executing external authorization challenge scripts and retrieving the authentication method claims.

Overall, the changes in this pull request appear to be focused on improving the security and functionality of the authorization challenge functionality in the Jans Auth Server application. While the changes do not introduce any obvious security vulnerabilities, it's important to carefully review the implementation and the use of external scripts to ensure the application's security is not compromised.

Code Analysis

We ran 9 analyzers against 7 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 9 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@mo-auto mo-auto added area-documentation Documentation needs to change as part of issue or PR comp-jans-auth-server Component affected by issue or PR comp-jans-core Component affected by issue or PR kind-feature Issue or PR is a new feature request labels Aug 23, 2024
@yuriyzz yuriyzz enabled auto-merge (squash) August 23, 2024 10:32
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-core'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@yuriyzz yuriyzz merged commit 92d4c22 into main Aug 23, 2024
1 of 2 checks passed
auto-merge was automatically disabled August 23, 2024 12:05

Base branch requires signed commits

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

yuriyz added a commit that referenced this pull request Nov 7, 2024
@yuriyz
feat(jans-auth-server): added ability to pass authorizationMethodClai…
9bf2dc3 
…ms to id_token via AuthorizationChallengeType script #9221 (#9250)

Signed-off-by: YuriyZ <[email protected]>
Former-commit-id: 92d4c22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yurem yurem yurem approved these changes

@yuriyzz yuriyzz yuriyzz approved these changes

Assignees
No one assigned
Labels
area-documentation Documentation needs to change as part of issue or PR comp-jans-auth-server Component affected by issue or PR comp-jans-core Component affected by issue or PR kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
4 participants
@yuriyz @yurem @yuriyzz @mo-auto