feat(jans-auth-server): added nbf claims to tokens which is equal to iat #9320

[yuriyz]

Description

feat(jans-auth-server): added nbf claims to tokens which is equal to iat

Target issue

closes #9320

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the security and functionality of the Janssen Project's authentication server, with key changes including enhanced JWT claims management, improved token encryption and signing options, robust token validation and audit logging, external claims handling, and better refresh token and logout token handling.

Expand for full summary

Summary:

The code changes in this pull request focus on improving the security and functionality of various components in the Janssen Project's authentication server. The changes include updates to the handling of JSON Web Tokens (JWTs) for access tokens, ID tokens, logout tokens, and Resource Protection Tokens (RPTs). The key security-related improvements are:

1. Improved JWT Claims Management: The code updates the handling of JWT claims, such as nbf (Not Before), iat (Issued At), and exp (Expiration Time), to ensure that the tokens are properly validated and protected against replay attacks.

2. Enhanced Token Encryption and Signing Options: The code provides flexibility in the choice of encryption and signing algorithms for different token types, allowing clients to select the appropriate level of security based on their requirements.

3. Robust Token Validation and Audit Logging: The code includes thorough validation of incoming token requests and integrates with an audit logging component to maintain detailed records of token-related activities.

4. External Claims Handling and Customization: The code allows for the injection of custom claims into tokens through external scripts, providing a way to extend the functionality and security of the token-based authentication and authorization mechanisms.

5. Improved Refresh Token and Logout Token Handling: The changes in the AuthorizationGrant and LogoutTokenFactory classes focus on enhancing the security and reliability of refresh token and logout token management.

Overall, the code changes in this pull request demonstrate a strong emphasis on improving the security and robustness of the Janssen Project's authentication server, with a particular focus on the proper handling and validation of various token types.

Files Changed:

1. jans-auth-server/model/src/main/java/io/jans/as/model/jwt/JwtClaims.java: The changes introduce new methods to set the nbf and iat claims in a more concise way, improving the usability and maintainability of the JwtClaims class.

2. jans-auth-server/server/src/main/java/io/jans/as/server/model/token/IdTokenFactory.java: The changes ensure that the ID token includes the appropriate nbf and iat claims, which helps prevent replay attacks and improve the overall security of the authentication process.

3. jans-auth-server/server/src/main/java/io/jans/as/server/service/token/StatusListService.java: The changes update the JWT claims in the status list functionality, including the addition of the nbf claim and the use of a configurable signing algorithm, which enhances the security of the status list implementation.

4. jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AuthorizationGrant.java: The changes introduce the ability to create access tokens as JWTs, improve the handling of refresh tokens, and enhance the ID token creation process, all of which contribute to a more secure and robust token management system.

5. jans-auth-server/server/src/main/java/io/jans/as/server/session/ws/rs/LogoutTokenFactory.java: The changes in this class focus on improving the security of the logout token by setting appropriate claims, such as iat, nbf, iss, jti, and sid, to prevent potential security issues.

6. jans-auth-server/server/src/main/java/io/jans/as/server/token/ws/rs/TxTokenService.java: The changes in this class enhance the security of the transaction token (TX token) handling by improving token validation, providing encryption/signing options, and integrating with an audit logging component.

7. jans-auth-server/server/src/main/java/io/jans/as/server/userinfo/ws/rs/UserInfoRestWebServiceImpl.java: The changes in this class are relatively minor and do not introduce any significant security concerns.

8. jans-auth-server/server/src/main/java/io/jans/as/server/uma/service/UmaRptService.java: The changes in this class focus on improving the security of Resource Protection Tokens (RPTs) by adding the nbf claim and providing a way to inject custom claims through external scripts.

Code Analysis

We ran 9 analyzers against 8 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	10 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.