Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: allow specifying scopes during execution of authz url #9452

Merged
merged 4 commits into from
Sep 11, 2024
Merged

feat: allow specifying scopes during execution of authz url #9452

merged 4 commits into from
Sep 11, 2024
+68 −5

Conversation

duttarnab
Copy link
Contributor

closes #9420

@duttarnab
feat: allow specifying scopes during execution of authz url
4a44cfd 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@dryrunsecurity DryRunSecurity
Copy link

dryrunsecurity bot commented Sep 10, 2024
edited
Loading

DryRun Security Summary

The pull request focuses on implementing an OIDC client registration functionality and enhancing the authentication flow in a React-based application, with key security considerations around input validation, OIDC configuration fetching, client registration, client information storage, scope and ACR value handling, and custom parameter validation.

Expand for full summary

Summary:

The code changes in this pull request are focused on the implementation of an OIDC (OpenID Connect) client registration functionality and enhancements to the authentication flow in a React-based application. From an application security perspective, the key areas that require review and consideration are:

  1. Input Validation: Ensuring that all user inputs, such as the OIDC issuer URL, are properly sanitized and validated to prevent potential injection attacks.
  2. OIDC Configuration Fetching: Validating the response from the OIDC provider to ensure that the data is consistent and secure.
  3. OIDC Client Registration: Verifying that the client properties, such as redirect_uris, scopes, and response_types, are properly validated and aligned with the application's security requirements.
  4. Client Information Storage: Ensuring that the stored OIDC client information, including the client ID and client secret, is properly encrypted and protected from unauthorized access.
  5. Scope and ACR Value Handling: Reviewing the implementation of the scope and ACR value selection to ensure that the expected behavior is maintained and that there are no security implications.
  6. Custom Parameters: Validating the handling of custom parameters added to the authorization URL to prevent potential injection attacks, such as open redirect vulnerabilities.

Overall, the code changes appear to be well-structured and follow best practices for OIDC integration. However, it's essential to thoroughly review the application's security controls, input validation, and data protection mechanisms to ensure that the OIDC and authentication flow implementations are secure and do not introduce any vulnerabilities.

Files Changed:

  1. demos/jans-tarp/src/options/registerClient.tsx:

    • This file contains the implementation of the OIDC client registration functionality, including input validation, OIDC configuration fetching, and client registration.
    • The key security considerations are input validation, OIDC configuration validation, and secure storage of the client information.

  2. demos/jans-tarp/src/options/authFlowInputs.tsx:

    • This file includes enhancements to the authentication flow, such as scope selection, ACR value selection, and the ability to add custom parameters.
    • The security considerations include scope and ACR value handling, as well as the validation of custom parameters to prevent injection attacks.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@mo-auto mo-auto added the kind-feature Issue or PR is a new feature request label Sep 10, 2024
@duttarnab
feat: allow specifying scopes during execution of authz url
b0d155f 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
mjatin-dev
mjatin-dev previously approved these changes Sep 10, 2024
View reviewed changes
@duttarnab
feat: code fix
c6a9931 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@moabu moabu merged commit 82ea7df into main Sep 11, 2024
11 checks passed
@moabu moabu deleted the jans-tarp-issue-9420 branch September 11, 2024 07:00
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
@duttarnab @moabu
feat: allow specifying scopes during execution of authz url (#9452)
82fb08a 
* feat: allow specifying scopes during execution of authz url

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: allow specifying scopes during execution of authz url

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: code fix

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

---------

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
Former-commit-id: 82ea7df
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@moabu moabu moabu approved these changes

@mjatin-dev mjatin-dev mjatin-dev left review comments

Assignees
No one assigned
Labels
kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(jans-tarp): allow specifying scopes during execution of authz url
4 participants
@duttarnab @mjatin-dev @moabu @mo-auto