8000 feat: ui improvement and FIDO authentication integration by duttarnab · Pull Request #8828 · JanssenProject/jans · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

feat: ui improvement and FIDO authentication integration #8828

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 14 commits into from
Jul 2, 2024
Merged

feat: ui improvement and FIDO authentication integration #8828

merged 14 commits into from
Jul 2, 2024

Conversation

duttarnab
Copy link
Contributor

closes #5962

duttarnab added 8 commits June 28, 2024 15:06
@duttarnab
feat: ui improvement and fido authentication integration #5962
21f735f 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@duttarnab
feat: adding loader
ca4f93e 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
< 8000 a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/duttarnab/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/duttarnab"> @duttarnab
feat: fix loading issue
e136bc1 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@duttarnab
feat: fixing logout
5d575af 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@duttarnab
feat: fixing logout
db2cc2f 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@duttarnab
feat: adding docs
1377d7d 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@duttarnab
feat: adding docs
0b6f544 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@duttarnab
feat: adding docs
f399bce 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@duttarnab duttarnab changed the title feat: : ui improvement and FIDO authentication integration feat: ui improvement and FIDO authentication integration Jul 1, 2024
@dryrunsecurity DryRunSecurity
Copy link
dryrunsecurity bot commented Jul 1, 2024
edited
Loading

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer 0 findings
Configured Codepaths Analyzer 0 findings
Secrets Analyzer 0 findings
Authn/Authz Analyzer 0 findings
SQL Injection Analyzer 0 findings
Sensitive Files Analyzer 0 findings
IDO 8000 R Analyzer 0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request cover a wide range of functionality for the "Jans Chip" Android application, with a focus on improving the security and integrity of the application. The changes include updates to the Android Manifest, addition of new instrumented tests, enhancements to the README documentation, and significant updates to the application's build configuration and database implementation.

From an application security perspective, the key points to highlight are:

  1. Reduced Attack Surface: The removal of specific login, registration, and splash screen activities in the Android Manifest reduces the attack surface of the application, which is a positive security measure.

  2. Secure Authentication and Authorization: The application now includes features like Dynamic Client Registration (DCR), DPoP (Demonstration of Proof-of-Possession) access tokens, and the requirement to add an "Auth Challenge Script" to the Janssen Auth server, suggesting a focus on implementing secure authentication and authorization mechanisms.

  3. Cryptographic Key Management: The changes introduce a KeyManager class that uses the Android Keystore to securely generate, store, and use cryptographic keys for signing data and generating JWTs.

  4. Database Security: The introduction of various DAO (Data Access Object) classes for managing entities like OIDC clients, FIDO configurations, and app integrity data highlights the need to ensure proper input validation, access control, and secure storage of sensitive data.

  5. Jetpack Compose Integration: The migration to Jetpack Compose, a modern UI toolkit for Android, introduces new security considerations that should be carefully reviewed, such as potential vulnerabilities in the Compose framework or in the way the application integrates with it.

Overall, the changes in this pull request demonstrate a strong focus on improving the security and integrity of the "Jans Chip" Android application. As an application security engineer, I would recommend thoroughly reviewing the implementation details, especially in areas related to authentication, authorization, cryptography, and data management, to ensure that the application follows best practices and mitigates potential security risks.

Files Changed:

  1. demos/jans-chip/android/app/src/main/AndroidManifest.xml: Removal of specific login, registration, and splash screen activities, reducing the application's attack surface.
  2. demos/jans-chip/android/app/src/androidTest/java/io/jans/chip/ExampleInstrumentedTest.kt: Addition of a new instrumented test file for the Android application.
  3. demos/jans-chip/android/README.md: Significant updates to the README, including information about the authentication flow, the "Auth Challenge Script", and security-focused features like DCR and DPoP.
  4. demos/jans-chip/android/app/build.gradle.kts: Major updates to the application's build configuration, including dependency version changes, Jetpack Compose integration, and cryptographic library additions.
  5. demos/jans-chip/android/app/src/main/java/io/jans/chip/AppDatabase.kt: Implementation of a Room database for the application, with considerations for secure data storage and handling.
  6. demos/jans-chip/android/app/src/main/java/io/jans/chip/PasswordTextField.kt: Introduction of a custom Jetpack Compose component for password input, with basic password validation.
  7. demos/jans-chip/android/app/src/main/java/io/jans/chip/MainActivity.kt: Main activity implementation, handling application initialization, OIDC client registration, and app integrity checking.
  8. demos/jans-chip/android/app/src/main/java/io/jans/chip/common/LocalCredentialSelector.kt: Addition of a utility class for selecting FIDO/WebAuthn credentials.
  9. demos/jans-chip/android/app/src/main/java/io/jans/chip/dao/AppIntegrityDao.kt: Implementation of a Room DAO for managing app integrity data.
  10. demos/jans-chip/android/app/src/main/java/io/jans/chip/common/AuthAdaptor.kt: Integration of FIDO/WebAuthn functionality for user authentication and credential management.
  11. demos/jans-chip/android/app/src/main/java/io/jans/chip/dao/FidoConfigurationDao.kt: Introduction of a Room DAO for managing FIDO configurations.
  12. `demos/jans-chip/

Powered by DryRun Security

@mo-auto mo-auto added area-documentation Documentation needs to change as part of issue or PR kind-feature Issue or PR is a new feature request labels Jul 1, 2024
duttarnab added 2 commits July 1, 2024 22:15
@duttarnab
feat: modify README
3c8bc69 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@duttarnab
feat: modify README
7711cbc 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@duttarnab
feat: changing ReadMe
e08931c 
Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
@moabu moabu merged commit 27de43e into main Jul 2, 2024
9 checks passed
@moabu moabu deleted the jans-chip-issue-5962 branch July 2, 2024 08:54
yuriyz pushed a commit that referenced this pull request Nov 7, 2024
@duttarnab
feat: ui improvement and FIDO authentication integration (#8828)
f050f05 
* feat: ui improvement and fido authentication integration #5962

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: adding loader

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: fix loading issue

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: fixing logout

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: fixing logout

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: adding docs

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: adding docs

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: adding docs

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: remove extra OP_config call

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: modify README

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: modify README

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: changing ReadMe

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

---------

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
Former-commit-id: 27de43e
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@NazarYavornytskyy NazarYavornytskyy NazarYavornytskyy approved these changes

@moabu moabu moabu approved these changes

Assignees
No one assigned
Labels
area-documentation Documentation needs to change as part of issue or PR kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

feat(jans-chip): UI improvement and FIDO authentication integration
4 participants
@duttarnab @NazarYavornytskyy @moabu @mo-auto
0