feat(jans-auth-server): access token lifetime from UpdateToken interception script has highest priority #9748 #10379

yuriyz · 2024-12-10T09:28:14Z

Description

feat(jans-auth-server): access token lifetime from UpdateToken interception script has highest priority

Target issue

Test and Document the changes

Static code analysis has been run locally and issues have been fixed
Relevant unit and integration tests have been added/updated
Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

I confirm that there is no impact on the docs due to the code changes in this PR.

…eption script has highest priority #9748 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>

dryrunsecurity · 2024-12-10T09:28:35Z

DryRun Security Summary

The pull request introduces updates to the Jans Auth Server's token management functionality, focusing on more flexible access token lifetime calculation and enhanced customization of token claims through the "Update Token" custom script.

Expand for full summary

Summary:

The code changes in this pull request focus on updates to the token management functionality within the Jans Auth Server project. The key changes include:

Access Token Lifetime Calculation: The AbstractAuthorizationGrant class has been updated to handle various scenarios for determining the lifetime of access tokens, including using the client's specific lifetime setting, recalculating based on key regeneration, and allowing an external script to override the default value. These changes aim to provide more flexibility and control over access token lifetimes, which can be important for security and compliance reasons.
Update Token Custom Script: The changes to the "Update Token" custom script functionality allow for extensive customization of token claims, values, and lifetimes. This includes the ability to modify the scope of the access token, perform additional business logic checks before issuing the token, and add extra audit logging for token-related activities. These features can enhance the overall security posture of the application, but they also require careful implementation and configuration to mitigate potential risks, such as improper scope management or introduction of new vulnerabilities.

From an application security perspective, the changes appear to be reasonable and do not introduce any obvious security concerns. However, it is important to thoroughly test the changes and ensure that they do not have any unintended consequences or introduce new vulnerabilities to the overall system.

Files Changed:

jans-auth-server/server/src/main/java/io/jans/as/server/model/common/AbstractAuthorizationGrant.java: This file has been updated to handle various scenarios for determining the lifetime of access tokens, including using the client's specific lifetime setting, recalculating based on key regeneration, and allowing an external script to override the default value.
docs/script-catalog/update_token/update-token.md: This file describes the changes to the "Update Token" custom script functionality, which allows for extensive customization of token claims, values, and lifetimes, as well as the ability to modify the scope of the access token, perform additional business logic checks, and add extra audit logging.

Code Analysis

We ran 9 analyzers against 2 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

sonarqubecloud · 2024-12-10T10:48:15Z

Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

…eption script has highest priority #9748 (#10379) Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>

feat(jans-auth-server): access token lifetime from UpdateToken interc…

e20be0b

…eption script has highest priority #9748 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>

yuriyz requested review from yurem and yuriyzz as code owners December 10, 2024 09:28

yuriyz self-assigned this Dec 10, 2024

yuriyzz approved these changes Dec 10, 2024

View reviewed changes

yuriyz enabled auto-merge (squash) December 10, 2024 09:28

mo-auto added area-documentation Documentation needs to change as part of issue or PR comp-docs Touching folder /docs comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request labels Dec 10, 2024

yurem approved these changes Dec 10, 2024

View reviewed changes

Merge branch 'main' into jans-auth-server-9748

98b0f70

yuriyz merged commit c2ef55d into main Dec 10, 2024
1 check passed

yuriyz deleted the jans-auth-server-9748 branch December 10, 2024 10:37

mo-auto mentioned this pull request Dec 23, 2024

chore(main): release 1.2.0 #10490

Merged

ossdhaval pushed a commit that referenced this pull request Dec 27, 2024

feat(jans-auth-server): access token lifetime from UpdateToken interc…

0b4aba2

…eption script has highest priority #9748 (#10379) Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat(jans-auth-server): access token lifetime from UpdateToken interception script has highest priority #9748 #10379

feat(jans-auth-server): access token lifetime from UpdateToken interception script has highest priority #9748 #10379

feat(jans-auth-server): access token lifetime from UpdateToken interception script has highest priority #9748 #10379

feat(jans-auth-server): access token lifetime from UpdateToken interception script has highest priority #9748 #10379

Conversation

Description

Target issue

Test and Document the changes

DryRun Security Summary

Code Analysis

Quality Gate passed for 'jans-config-api-parent'