8000 ProjectPasskeys: fix(jans-fido2): Major FIDO2 / Passkeys upgrade by maduvena · Pull Request #9120 · JanssenProject/jans · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

ProjectPasskeys: fix(jans-fido2): Major FIDO2 / Passkeys upgrade #9120

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4,438 commits into from
Closed

ProjectPasskeys: fix(jans-fido2): Major FIDO2 / Passkeys upgrade #9120

wants to merge 4,438 commits into from

Conversation

maduvena
Copy link
Contributor
@maduvena maduvena commented Aug 5, 2024
edited by yackermann
Loading

This PR completely revamps jans-fido2, to enable support for passkeys, and bring the server up to spec.

So far changes:

@dryrunsecurity DryRunSecurity
8000 Copy link
dryrunsecurity bot commented Aug 5, 2024
edited
Loading

DryRun Security Summary

The pull request covers various updates and improvements to the FIDO2 authentication implementation in the Janssen application, focusing on enhancing security, configurability, logging, and monitoring of the FIDO2 functionality.

Expand for full summary

Summary:

The code changes in this pull request cover various updates and improvements to the FIDO2 (Fast Identity Online) authentication implementation in the Janssen (Jans) application. The changes focus on enhancing the security and configurability of the FIDO2 functionality, with a particular emphasis on the following areas:

  1. Metadata Service Validation: The changes introduce the ability to disable or monitor the metadata service validation during the FIDO2 attestation process. This is an important security consideration, as disabling metadata validation could potentially introduce risks if untrusted authenticators are allowed.

  2. FIDO Algorithm Configuration: The changes rename the "requested credential types" parameter to "enabled FIDO algorithms", allowing for better control and visibility over the supported cryptographic algorithms used in the FIDO2 implementation.

  3. Relying Party (RP) Configuration: The changes update the Relying Party configuration, including renaming fields and simplifying the structure. This helps to ensure that the RP information is correctly configured and aligned with the expected deployment environment.

  4. User Auto-Enrollment: The changes suggest a move away from automatically enrolling users in the FIDO2 authentication process, which is a positive security enhancement, as it requires explicit user consent for enrollment.

  5. Logging and Monitoring: The changes introduce new configuration options related to logging and metrics, which can improve the overall visibility and monitoring of the FIDO2 implementation.

Files Changed:

  1. docker-jans-fido2/scripts/upgrade.py: This file contains changes to the FIDO2 dynamic configuration, including the modification of the "attestationMode" parameter, which should be carefully reviewed to ensure that it does not introduce any security vulnerabilities.

  2. docs/janssen-server/fido/logs.md, docs/janssen-server/config-guide/fido2-config/janssen-fido2-configuration.md, docs/janssen-server/fido/config.md, docs/janssen-server/reference/json/properties/fido2-properties.md: These documentation files have been updated to reflect the changes in the FIDO2 configuration, including the renaming of parameters, the addition of new configuration options, and the changes to the metadata service validation.

  3. docs/script-catalog/person_authentication/fido2-external-authenticator/Fido2ExternalAuthenticator.py: This file contains changes to the FIDO2 authentication process, including the removal of the platformAuthenticatorAvailable parameter and improvements to the logging and error handling.

  4. docs/janssen-server/fido/vendor-metadata.md: This file discusses the handling of vendor-specific metadata in the FIDO2 implementation and the implications of disabling metadata validation.

  5. jans-auth-server/server/src/main/webapp/auth/fido2/passkeys.xhtml: This file contains changes to the FIDO2 credential registration and authentication processes, including the addition of an alert message for debugging purposes.

Overall, the changes in this pull request appear to be focused on improving the security and configurability of the FIDO2 implementation in the Janssen application. As an application security engineer, it is important to thoroughly review these changes and ensure that the FIDO2 implementation continues to adhere to best practices and industry standards for secure authentication.

Code Analysis

We ran 9 analyzers against 30 files and 2 analyzers had findings. 7 analyzers had no findings.

Analyzer Findings
Sensitive Files Analyzer 1 finding
Authn/Authz Analyzer 3 findings

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

@mo-auto mo-auto added comp-jans-fido2 Component affected by issue or PR kind-bug Issue or PR is a bug in existing functionality labels Aug 5, 2024
@sonarqubecloud SonarQubeCloud
Copy link
sonarqubecloud bot commented Aug 5, 2024

Quality Gate Passed Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link
sonarqubecloud bot commented Aug 5, 2024

Quality Gate Failed Quality Gate failed for 'Fido2 API'

Failed conditions
181 New Code Smells (required ≤ 8)
69 Duplicated Lines on New Code (required ≤ 20)

See analysis details on SonarCloud

Catch issues before they fail your Quality Gate with our IDE extension SonarLint

@sonarqubecloud SonarQubeCloud
Copy link
sonarqubecloud bot commented Aug 5, 2024

Quality Gate Passed Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@yackermann yackermann changed the title fix(jans-fido2): #8901 ProjectPasskeys: fix(jans-fido2): Major FIDO2 / Passkeys upgrade Aug 5, 2024
@yackermann yackermann marked this pull request as draft August 5, 2024 20:45
@duttarnab @yackermann
feat: add support for BS / BE flags in AuthData #8903 (#8968)
134da56 
* feat: add support for BS / BE flags in AuthData #8903

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: adding comments

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

* feat: adding comments

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>

---------

Signed-off-by: Arnab Dutta <arnab.bdutta@gmail.com>
Co-authored-by: Ackermann Yuriy <1636116+yackermann@users.noreply.github.com>
@sonarqubecloud SonarQubeCloud
Copy link
sonarqubecloud bot commented Aug 6, 2024

Quality Gate Passed Quality Gate passed for 'orm'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

yurem and others added 18 commits August 6, 2024 20:13
@yurem
fix(jans-auth): fix AD user authentication (#9131)
4093719 
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
@nynymike @ossdhaval
docs(jans-lock): cedarling / lock doc updates (#9124)
4a1da6b 
* Lock / Cedarling doc updates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Michael Schwartz

* fix(docs): proofreading

Signed-off-by: ossdhaval <343411+ossdhaval@users.noreply.github.com>

---------

Signed-off-by: ossdhaval <343411+ossdhaval@users.noreply.github.com>
Co-authored-by: ossdhaval <343411+ossdhaval@users.noreply.github.com>
@yurem
fix(jans-auth): fix AD user authentication (#9135)
c362bf0 
* fix(jans-auth): fix AD user authentication

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>

* fix(jans-auth): fix AD user authentication

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>

---------

Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
@pujavs @devrimyatar
fix(config-api): asset upload mgt fix and fido2 registration error (#…
17244ab 
…9133)

* fix(config-api): asset mgt endpoint fixes

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset upload mgt ehancement and fido

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset upload mgt ehancement and fido

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset upload mgt ehancement and fido

Signed-off-by: pujavs <pujas.works@gmail.com>

---------

Signed-off-by: pujavs <pujas.works@gmail.com>
Co-authored-by: Devrim <devrimyatar@gluu.org>
@iromli @moabu
fix(docker-jans-saml): kc-jans-spi throws error if using spanner/couc…
5f849c9 
…hbase persistence (#9134)

* fix(docker-jans-saml): kc-jans-spi throws error if using spanner/couchbase persistence

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* fix: extract spanner/couchbase libs into KC providers directory

Signed-off-by: iromli <isman.firmansyah@gmail.com>

---------

Signed-off-by: iromli <isman.firmansyah@gmail.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
@mzico @ossdhaval
Update README.md (#9137)
cd90126 
Signed-off-by: mzico <mohib@gluu.org>
Co-authored-by: Dhaval D <343411+ossdhaval@users.noreply.github.com>
@maduvena
fix(jans-fido2): Removing multiple Assertion processors #8902
b42ea62
@maduvena
Merge branch 'passkeys-project' of https://github.com/JanssenProject/…
3579963 
…jans into passkeys-project
@maduvena
fix(jans-fido2): #8902
277a57c
@yuriyz
doc(jans-auth-server): client authn script is missed in navigation #9140
6291cfb 
 (#9141)

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
@yuriyz
fix(jans-auth-server): fixed race condition during refresh token remo…
37772ca 
…val #9074 (#9139)

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
@misba7 @moabu
feat(charts)!: helm support for custom annotations and serviceAccount (
519cb77 
…#8910)

* docs: add network traffic notes

* docs: add network traffic notes

Signed-off-by: Amro Misbah <amromisba7@gmail.com>

* docs: add external communication

Signed-off-by: Amro Misbah <amromisba7@gmail.com>

* docs: add note to avoid java args break

Signed-off-by: Amro Misbah <amromisba7@gmail.com>

* Revert "docs: add note to avoid java args break"

This reverts commit 9f22446.

* feat: add custom service Account, labels and annotations

* docs: generate helm-docs

* fix: resolve conflict

Signed-off-by: Amro Misbah <amromisba7@gmail.com>

* docs: resolve conflicts

Signed-off-by: Amro Misbah <amromisba7@gmail.com>

* fix: add lock additional labels and annotations

Signed-off-by: Amro Misbah <amromisba7@gmail.com>

* fix: reference labels and annotations correctly

Signed-off-by: Amro Misbah <amromisba7@gmail.com>

* fix: consistent order

* fix(nginx-ingress): pass one argument to toYaml function

Signed-off-by: Amro Misbah <amromisba7@gmail.com>

* docs: generate helm-docs

Signed-off-by: Amro Misbah <amromisba7@gmail.com>

---------

Signed-off-by: Amro Misbah <amromisba7@gmail.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
@iromli
feat(cloud-native): upgrade Alpine OS to v3.20 (#9152)
fddf192 
Signed-off-by: iromli <isman.firmansyah@gmail.com>
@yuriyz
fix(jans-auth-server): introspection has typo which can lead to inval…
69d4ced 
…id json response #9148 (#9149)

Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
@pujavs
fix(config-api): asset mgt upload error and lock enhancement (#9155)
5fd27cf 
* fix(config-api): asset mgt endpoint fixes

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset upload mgt ehancement and fido

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset upload mgt ehancement and fido

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): asset upload mgt ehancement and fido

Signed-off-by: pujavs <pujas.works@gmail.com>

* fix(config-api): asset upload

Signed-off-by: pujavs <pujas.works@gmail.com>

* fix(config-api): lock review comments

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): lock code review comments

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): lock master renamed to lock server

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): lock master renamed to lock server

Signed-off-by: 
8000
pujavs <pujas.works@gmail.com>

* feat(config-api): lock master renamed to lock server

Signed-off-by: pujavs <pujas.works@gmail.com>

* feat(config-api): lock master renamed to lock server

Signed-off-by: pujavs <pujas.works@gmail.com>

---------

Signed-off-by: pujavs <pujas.works@gmail.com>
@devrimyatar
fix(jans-cli-tui): focus to container after deleting asset (#9159)
0dfce1c 
Signed-off-by: Mustafa Baser <mbaser@mail.com>
@devrimyatar
fix(jans-cli-tui): save asset (#9163)
62dae4a 
Signed-off-by: Mustafa Baser <mbaser@mail.com>
@yurem
feat(jans-lock): add audit/health/telemetry endpoint protection (#9165)
6b88684 
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
SafinWasi and others added 4 commits October 17, 2024 12:45
@SafinWasi @moabu
feat(jans-casa): update bioid plugin (#9774)
af19012 
* feat(jans-casa): fix bioid flow launching

Signed-off-by: SafinWasi <6601566+SafinWasi@users.noreply.github.com>

* docs(jans-casa): fix instructions

Signed-off-by: SafinWasi <6601566+SafinWasi@users.noreply.github.com>

---------

Signed-off-by: SafinWasi <6601566+SafinWasi@users.noreply.github.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
@iromli @moabu
fix: downgrade keycloak version to 25.0.6 (#9775)
12c355c 
* fix(cloud-native): resolve opentelemetry error on keycloak startup

Signed-off-by: iromli <isman.firmansyah@gmail.com>

* chore: downgrade keycloak version to 25.0.6

Signed-off-by: iromli <isman.firmansyah@gmail.com>

---------

Signed-off-by: iromli <isman.firmansyah@gmail.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
@moabu
Merge branch 'main' into passkeys-project
7d594c7
@moabu
Merge remote-tracking branch 'origin/passkeys-project' into passkeys-…
af61d00 
…project
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-cli'

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'keycloak-integration-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'orm'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-core'

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed for 'jans-pycloudlib'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

moabu and others added 10 commits October 17, 2024 14:56
@moabu
docs: add release process doc (#9683)
7b82651 
docs: add release process

Signed-off-by: moabu <47318409+moabu@users.noreply.github.com>
@imran-ishaq @moabu
Reflect Authenicator Name with Passkeys (#9716)
dd4a1fb 
* feat(jans-fido2): reflect authenticator name with passkeys

Signed-off-by: imran-ishaq <imranishaq024@gmail.com>

* fix(jans-fido2): handle test cases for authenticator name

Signed-off-by: imran-ishaq <imranishaq024@gmail.com>

---------

Signed-off-by: imran-ishaq <imranishaq024@gmail.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
@imran-ishaq @moabu
fix(jans-fido2): remove superGluu-related endpoints from FIDO2 Swagge… (
ff0452f 
#9624)

fix(jans-fido2): remove superGluu-related endpoints from FIDO2 Swagger and ConfigurationControllerTest

Signed-off-by: imran-ishaq <imranishaq024@gmail.com>
Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com>
@dependabot @jgomer2001
chore(deps): bump org.apache.maven.plugins:maven-site-plugin from 4.0…
09cf80d 
….0-M12 to 4.0.0-M16 in /jans-scim (#9010)

chore(deps): bump org.apache.maven.plugins:maven-site-plugin

Bumps [org.apache.maven.plugins:maven-site-plugin](https://github.com/apache/maven-site-plugin) from 4.0.0-M12 to 4.0.0-M16.
- [Commits](apache/maven-site-plugin@maven-site-plugin-4.0.0-M12...maven-site-plugin-4.0.0-M16)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-site-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jose Gonzalez <bonustrack310@gmail.com>
@moabu
Merge branch 'main' into passkeys-project
33748e0
@shekhar16
fix(jans-casa): fix issue caused by refactoring (#9838)
10fba8f 
Signed-off-by: shekhar16 <shekharlaad1609@gmail.com>
@shekhar16
fix(jans-fido2): fix document refactoring issue (#9918)
9acde59 
Signed-off-by: shekhar16 <shekharlaad1609@gmail.com>
@imran-ishaq
Add origin parameter in Fido2ExternalAuthenticator script for attesta…
ba381a9 
…tion and assertion API calls #9248 (#9974)

* feat(jans-fido2): add origin parameter in Fido2ExternalAuthenticator script for attestation and assertion API calls

Signed-off-by: imran-ishaq <imranishaq024@gmail.com>

* refactor(docs): add origin parameter in Fido2ExternalAuthenticator script for attestation and assertion API calls #9248

Signed-off-by: imran-ishaq <imranishaq024@gmail.com>

* fix(jans-fido2): handle origin if http or https is missing #9248

Signed-off-by: imran-ishaq <imranishaq024@gmail.com>

---------

Signed-off-by: imran-ishaq <imranishaq024@gmail.com>
@imran-ishaq
fix(docs): #9248
b33d6bf 
Signed-off-by: imran-ishaq <imranishaq024@gmail.com>
@devrimyatar
feat(jans-linux-setup): move fidoconfig folder properties to db
e23db2d 
Signed-off-by: Mustafa Baser <mbaser@mail.com>
@sonarqubecloud SonarQubeCloud
Copy link
sonarqubecloud bot commented Nov 3, 2024

Quality Gate Passed Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@shekhar16
fix(jans-fido2): fix issues due unused injects (#10035)
1b09909 
Signed-off-by: shekhar16 <shekharlaad1609@gmail.com>
@moabu
Copy link
Member
moabu commented Nov 7, 2024

Closed in favor of a rebase here #10078

@moabu moabu closed this Nov 7, 2024
@moabu moabu mentioned this pull request Nov 7, 2024
Closed
1 task
@moabu moabu deleted the passkeys-project branch November 7, 2024 08:18
@moabu moabu mentioned this pull request Nov 7, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yackermann yackermann yackermann requested changes

@yurem yurem Awaiting requested review from yurem yurem is a code owner

@duttarnab duttarnab Awaiting requested review from duttarnab duttarnab will be requested when the pull request is marked ready for review duttarnab is a code owner

@jgomer2001 jgomer2001 Awaiting requested review from jgomer2001 jgomer2001 will be requested when the pull request is marked ready for review jgomer2001 is a code owner

@devrimyatar devrimyatar Awaiting requested review from devrimyatar devrimyatar will be requested when the pull request is marked ready for review devrimyatar is a code owner

@yuriyz yuriyz Awaiting requested review from yuriyz yuriyz will be requested when the pull request is marked ready for review yuriyz is a code owner

@yuriyzz yuriyzz Awaiting requested review from yuriyzz yuriyzz will be requested when the pull request is marked ready for review yuriyzz is a code owner

@moabu moabu Awaiting requested review from moabu moabu will be requested when the pull request is marked ready for review moabu is a code owner

@iromli iromli Awaiting requested review from iromli iromli will be requested when the pull request is marked ready for review iromli is a code owner

Assignees
No one assigned
Labels
comp-jans-fido2 Component affected by issue or PR kind-bug Issue or PR is a bug in existing functionality
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0