Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-auth-server): AS supports acr aliasing but it's not published on discovery. It should be added to discovery. #9166 #9344

Merged
merged 3 commits into from
Sep 3, 2024
Merged

feat(jans-auth-server): AS supports acr aliasing but it's not published on discovery. It should be added to discovery. #9166 #9344

merged 3 commits into from
Sep 3, 2024

Conversation

yuriyz
Copy link
Contributor

@yuriyz yuriyz commented Sep 3, 2024

Description

feat(jans-auth-server): AS supports acr aliasing but it's not published on discovery. It should be added to discovery.

Target issue

closes #9166

Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

@yuriyz
feat(jans-auth-server): AS supports acr aliasing but it's not publish…
7156687 
…ed on discovery. It should be added to discovery. #9166

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
@yuriyz
feat(jans-auth-server): added acr_mappings to doc sample #9166
7dffe4d 
Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
@yuriyz yuriyz requested review from yurem and yuriyzz as code owners September 3, 2024 12:32
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Sep 3, 2024
edited
Loading

DryRun Security Summary

The pull request enhances the functionality and security of the Janssen Project's authentication server by improving the handling of OpenID Connect (OIDC) configuration metadata and discovery responses, including the addition of support for Authentication Context Class Reference (ACR) mappings, expansion of OIDC response types and DPoP signing algorithms, and improvements to the discovery response and utility methods.

Expand for full summary

Summary:

The code changes in this pull request focus on enhancing the functionality and security of the Janssen Project's authentication server (jans-auth-server) by improving the handling of OpenID Connect (OIDC) configuration metadata and discovery responses.

The key changes include:

  1. ACR Mappings: The addition of support for Authentication Context Class Reference (ACR) mappings, which allow the server to associate different authentication methods or levels of assurance with specific applications or flows. This is a positive security enhancement, as it provides more granular control over the authentication experience and requirements.

  2. OIDC Configuration Metadata: The expansion of the server's support for different OIDC response types, backchannel token delivery modes, and DPoP (Demonstration of Proof-of-Possession) signing algorithms. These changes improve the server's OIDC capabilities and configurability, leading to more robust and secure integrations.

  3. Discovery Response: The addition of ACR mappings to the discovery response, which increases the transparency of the server's authentication capabilities. This information can be useful for clients to make informed decisions about the authentication flow to use.

  4. Utility Methods: The addition of a new utility method toSerializableMapOfStrings to the Util class, which helps convert a generic map to a map of strings. This is a minor change that can be useful in various parts of the application.

  5. Test Coverage: The introduction of new test cases to ensure the accuracy and reliability of the discovery document, which is a crucial component of the OAuth 2.0 and OIDC protocols.

Overall, the changes in this pull request appear to be focused on improving the security and functionality of the Janssen Project's authentication server, with a particular emphasis on enhancing the handling of OIDC configuration metadata and discovery responses.

Files Changed:

  1. ConfigurationResponseClaim.java: Introduces a new constant ACR_MAPPINGS to represent the mapping between authentication context class references (ACRs) and their corresponding values.

  2. OpenIdConfigurationClient.java: Adds support for handling ACR mappings in the OpenID Configuration response.

  3. install-faq.md: Updates the OpenID Connect (OIDC) configuration metadata to include the acr_mappings parameter, which maps an "alias" to an "acr" value.

  4. OpenIdConfigurationResponse.java: Adds a new field acrMappings to the OpenIdConfigurationResponse class to support ACR mappings.

  5. DiscoveryService.java: Adds the ACR mappings to the discovery response JSON object if the application configuration contains them.

  6. Util.java: Introduces a new utility method toSerializableMapOfStrings to convert a map of generic objects to a map of strings.

  7. DiscoveryServiceTest.java: Adds new test cases to ensure the accuracy and reliability of the discovery document, including the handling of ACR mappings.

Code Analysis

We ran 9 analyzers against 7 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 6 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@yuriyz yuriyz enabled auto-merge (squash) September 3, 2024 12:36
@mo-auto mo-auto added area-documentation Documentation needs to change as part of issue or PR comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request labels Sep 3, 2024
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Sep 3, 2024

Quality Gate Passed Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Sep 3, 2024

Quality Gate Passed Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Sep 3, 2024

Quality Gate Passed Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Sep 3, 2024

Quality Gate Passed Quality Gate passed for 'Fido2 API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@yuriyz yuriyz merged commit 9635328 into main Sep 3, 2024
15 checks passed
@yuriyz yuriyz deleted the jans-auth-server-9166 branch September 3, 2024 13:11
@sonarqubecloud SonarQubeCloud
Copy link

sonarqubecloud bot commented Sep 3, 2024

Quality Gate Passed Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

yuriyz added a commit that referenced this pull request Nov 7, 2024
@yuriyz
feat(jans-auth-server): add acr aliasing to discovery #9166 (#9344)
bd9b623 
* feat(jans-auth-server): AS supports acr aliasing but it's not published on discovery. It should be added to discovery. #9166

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>

* feat(jans-auth-server): added acr_mappings to doc sample #9166

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>

---------

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
Former-commit-id: 9635328
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yurem yurem yurem approved these changes

@yuriyzz yuriyzz yuriyzz approved these changes

Assignees
No one assigned
Labels
area-documentation Documentation needs to change as part of issue or PR comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
4 participants
@yuriyz @yurem @yuriyzz @mo-auto