fix(config-api): scope validation issue #9426

[pujavs]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #9426

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the security and access control mechanisms of the Jans Config API, with key changes in the OpenIdAuthorizationService class and the Swagger documentation to enhance token validation, scope validation, authentication-specific scopes, external authorization, and access control properties for the JansAttribute schema.

Expand for full summary

Summary:

The changes in this pull request focus on improving the security and access control mechanisms of the Jans Config API. The primary changes are in the OpenIdAuthorizationService class, which handles the authorization process for incoming requests, and the Swagger documentation, which updates the access control properties for the JansAttribute schema.

The key security-related aspects of the changes in the OpenIdAuthorizationService class include:

1. Thorough Token Validation: The code properly validates incoming tokens, whether they are JWT or reference tokens, ensuring that only valid tokens are accepted.
2. Comprehensive Scope Validation: The scope validation process checks for missing scopes at different levels (super, group, and normal scopes), ensuring that clients only have access to the resources they are authorized to access.
3. Authentication-Specific Scopes: The ability to generate a new access token with the required authentication-specific scopes is a security feature that allows the application to enforce more granular access control.
4. External Authorization: The external authorization mechanism provides a way to implement custom authorization logic outside of the standard scope validation process, which could be useful for implementing additional security checks or integrating with external authorization systems.

The changes to the Swagger documentation update the access control properties for the JansAttribute schema, which is likely to improve the API's access control and authorization mechanisms by enforcing more granular permissions for users and administrators.

Overall, these changes appear to be a positive improvement from an application security perspective, as they enhance the security and access control capabilities of the Jans Config API.

Files Changed:

1. jans-config-api/server/src/main/java/io/jans/configapi/security/service/OpenIdAuthorizationService.java:
   • The code in this file handles the authorization process for incoming requests, focusing on the validation of OAuth2 tokens and their associated scopes.
   • The changes include thorough token validation, comprehensive scope validation, authentication-specific scopes, and an external authorization mechanism.
2. jans-config-api/docs/jans-config-api-swagger.yaml:
   • The changes in this file update the access control properties for the JansAttribute schema, including userCanAccess, adminCanAccess, userCanEdit, adminCanEdit, userCanView, and adminCanView.
   • These changes are likely to improve the API's access control and authorization mechanisms by enforcing more granular permissions for users and administrators.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[sonarqubecloud]

Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud