Feat: stat endpoint must require specific scope during authorization check (needed for both oxauth and jans) #1554
Assignees
Labels
enhancement
libs update, re-factroring, etc.
Comments
yuriyz
added a commit
to GluuFederation/community-edition-setup
that referenced
this issue
Jul 23, 2021
yuriyz
added a commit
that referenced
this issue
Jul 23, 2021
|
Done in both 4.3 and jans, authorization expects token with |
|
Re-opened to add |
yuriyz
added a commit
to GluuFederation/community-edition-setup
that referenced
this issue
Jul 26, 2021
yuriyz
added a commit
that referenced
this issue
Jul 26, 2021
|
Done in 4.3 and jans. |
yurem
added a commit
that referenced
this issue
Oct 5, 2021
* Revert "Temporary disable tests" This reverts commit a74cca4 * fix: update passport social script to handle provider config state problem #1448 * (4.2.2) Refresh token removing doesn't look up in persistence. #1480 * fix: update jwt date check function in passport scripts #1482 * Merge www pass from master * (4.2.2) 1. session_id should not be included into response if it's not explicitly allowed. 2. ``/end_session` should validate by sid value #1485 * (4.2.2) Corrected validation by sid at /end_session endpoint. #1485 * (4.2.2) Set session reference into identity object independently from invalidateSessionCookiesAfterAuthorizationFlow flag. #1486 * (4.2.2) Added cache support for discovery page (`.well-known/openid-configuration`). #1487 * (4.2.2) Return sid from authorization endpoint. #1485 * Update dependencies * Corrected authorization code clean up at token endpoint. * Corrected bug for refreshing token based on requested offline_access scope #1492 * Fixed NPE #1492 * (4.2.2) JWKS : Added key selection strategy. Supported strategies are : OLDER, NEWER, FIRST. #1494 * Avoid NPE due to clientRegDefaultToCodeFlowWithRefresh conf property * Fixed client and tests related to switching /end_session to sid. #1485 * (4.2.2) Added client's custom attributes to response if present in dynamicRegistrationCustomAttributes configuration property. #1488 * (4.2.2) Print only sessionId at INFO log level. * Fix ACR change when used alias * Fix ACR change when used alias * (4.2.2) Added nested JWT support into JWE #949 * (4.2.2) Corrected CrossEncryptionTest #949 * (4.2.2) Return sub value for ROPC based on `openidSubAttribute`. #1491 * (4.2.2) Added a new claim to the id_token: `"grant": <value>". #1497 * (4.2.2) Added required method to UnmodifiableAuthorizationGrant #1497 * (4.2.2) More logs in trace - added keySelectionStrategy #1494 * Adjust endpoint response according to compatibility flag #1499 * Allow bean to parse both string/list scopes formats #1499 * (4.2.2) Client's Pre-authorization flag takes higher priority. If it's true then we will ignore spec's "consent MUST" for offline access. #1496 * Fix javadoc param * casa's DUO plugin related files * Casa's DUO plugin * BioID interception script and CASA integration * Avoid NPE when there is no grant #1499 * bioid image * (4.2.2) BUG : PostAuthentication script calls re-authentication instead of re-authorization. #1504 * (4.2.2) Fixed bug - 500 server error when we request for an authorization token concurrenly #1481 * (4.2.2) Checked also grant scopes for offline_access scope. #1492 * Added more trace logs during key selection. * (4.2.2) id_token is missed during 2 concurrent calls for ROPC #1493 * #1506 - Modify the `claims-gathering` script so that it first tries to read claims from PCT before directing to the page to enter claims. * Don't stop on unsuccessfull BC installation * (4.2.2) NPE during backchannel logout if grant object was not identified #1505 * BioID script * Fix PasswordValidator faces validator dependend beans injection after JSF update to 2.3.x #1508 * Fix PasswordValidator faces validator dependend beans injection after JSF update to 2.3.x #1508 * (4.2.2) Introduced revoke interception script #1502 * (4.2.2) `sector_identifier` has to be based on host only. Also optimize redirect_uri's validation based on `sector_identifier_uri` #1503 * #1056 Modify the `claims-gathering` script so that it first tries to read claims from PCT before directing to the page to enter claims. * Fix compilation after BC upgrade * Version 4.2.2.Final * Temporary disable client side tests * Revert "Temporary disable client side tests" This reverts commit 1e3b7bb. * Version 4.2.3-SNAPSHOT * Temporary disable client side tests * Revert "Temporary disable client side tests" This reverts commit 2f59e2a. * Minor code improvements for IntrospectionWebService * (4.2.3) Added Stat and StatEntry entities. * (4.2.3) Added Stat and StatEntry entities. #1512 * Add XML signature test * (4.2.3) Added net.agkn.hll to pom #1512 * (4.2.3) Added "stat" base dn to config #1512 * (4.2.3) Added stat event and stat related configurations. #1512 * (4.2.3) Implemented StatService. #1512 * (4.2.3) Added stat timer. #1512 * (4.2.3) Added stat response item. #1512 * More logs * Reduced intervals of timers for test purpose. * (4.2.3) Report about token creation to stat service. #1512 * (4.2.3) Stat timer initialization. #1512 * Revert "Reduced intervals of timers for test purpose." This reverts commit ccaf020 * (4.2.3) added more logs #1512 * #1518 * (4.2.3) Fixed initialization of stat service #1512 * (4.2.3) Prevent NPE if stat service is not correctly initialized. #1512 * (4.2.3) Added reporting of active user to SessionIdService. #1512 * (4.2.3) Added stat response. #1512 * (4.2.3) Report for active user when authenticated session is created. #1512 * (4.2.3) Wrapped reporting active user into separate method. #1512 * (4.2.3) Added report for RPT token. #1512 * (4.2.3) Adding stat web service. #1512 * (4.2.3) Added month validation and run validation methods to StatWS. #1512 * (4.2.3) Added authorization validation and cardinality union for MAU (StatWS). #1512 * (4.2.3) Added aggregation for MAU and tokens per grant type (StatWS). #1512 * (4.2.3) Added aggregation of StatResponseItem (StatWS). #1512 * (4.2.3) Constructed stat response and prefixed endpoint with /internal/stat (StatWS) #1512 * Version 4.2.3.Final * Temporary disable client side tests * (4.2.3) Corrected client authentication for StatWS #1512 * (4.2.3) Corrected client authentication for StatWS #1512 * (4.2.3) Added Stat client service and client test. #1512 * (4.2.3) `SectorIdentifierService` must be consistent with PairwiseIdentifierService and use host of sectorIdentifierUri (not entire uri). #1520 * Revert "Temporary disable client side tests" This reverts commit 8138ae8 * (4.2.3) added basic and post client authentication for stat #1512 * Version 4.3.0.Final * Temporary disable client side tests * Revert "Temporary disable client side tests" This reverts commit 23aa6bc. * (4.3) Avoid NPE in User Info Endpoint (caused by scope removing) #1517 * A sample script to explain redirection to a third party app and back to Gluu server * typo * New interceptions script to modify id_token #1523 * Add license * (4.3) Added ability to persist attributes into token object. Removed refresh token object after access_token and id_token are created. #1526 * (4.3) Removed statNodeId from configuration. #1512 * (4.3) Stat: Use mac address as nodeId. #1512 * (4.3) Added @Expiration annotation to AbstractToken (to cover all derived classes) #1528 * (4.3) Re-set ttl of objects on update. #1528 * (4.3) Re-set ttl of UMA Resource on update. #1528 * (4.3) Added keyAlgsAllowedForGeneration configuration property. #1525 * (4.3) Restricted keys generation by keyAlgsAllowedForGeneration configuration property. #1525 * feat(casa): allow preferred method to be prompted GluuFederation/casa#87 * Check if signatire verification method returns true * Backport: Add system flag config to enable/disable CIBA #1404 * Backport: Add system flag config to enable/disable CIBA #1404 * fix(4.3): mau report must not effect authentication #1512 * fix: failed to create Ldap connection pool with encoded password. #1531 * fix(forgot_password): update script compatibility (#1535) * fix(forgot.xhtml): remove broken syntax There was an additional `<` char on the file fix #1534 * fix(forgot_password): import and send correct args ConfigurationService should be imported from `service.common` and `init` should be called with additional arg `customScript` fix #1534 * feat(forgot_password): add important info to log fix #1534 * refactor(4.3): added logs about id_token creation https://github.com/JanssenProject/jans-auth-server/issues/102 * refactor(4.3): added trace logs about refresh_token creation https://github.com/JanssenProject/jans-auth-server/issues/102 * refactor(4.3): added trace logs about access_token creation https://github.com/JanssenProject/jans-auth-server/issues/102 * feat(4.3): added simpleclient_common dependency #1321 * fix(4.3): switched hll serialization to base64 from plain string #1538 * chore: added more log messages about stat node id creation * feat: move ORM to oxOrm * fix: fix dependecies * feat: add SQL/Spanner ORM libs * feat(4.3): constants for stat service #1321 * fix: fix configuration path * feat: merge ORM from Jans * feat: merge ORM from Jans * feat: update to conform new API * feat: update to conform new API * fix(4.3): don't create monthly branch if db does not support tree structure #1543 * fix(4.3): don't create monthly branch if db does not support tree structure #1543 * fix: merge cleaner fixes from Jans * fix: remove deprecated attributes * fix: remove unused attribute * feat(4.3) : added openmetrics response support to StatWS #1512 #1321 * fix: use right UmaResource class in cleaner job * fix: missing oxAuth dynamic configuration after save oxTrust #2067 * fix: missing oxAuth dynamic configuration after save oxTrust #2067 * fix: removed cleanServiceBaseDns configuration property used during development GluuFederation/oxTrust#2067 * feat: clean only oxAuth metrics * feat: avoid potential NPE * feat: add new ORM dependecies * fix(4.3): openmetrics reponse construction #1544 * fix(4.3): openmetrics response construction #1544 * fix(4.3): changed label name #1544 * fix(4.3): fixed npe in stat ws #1544 * fix(4.3): made access to hll thread-safe #1544 * fix(4.3): corrected stat labels #1544 * feat: don't use lower case in authenticate if DB is Spanner * feat: don't use lower case in use search if DB is Spanner * fix(4.3): don't add branch if db does not support branches * fix(4.3): don't add branch for rpt service if db does not support branches * feat (4.3): added new introspectionSkipAuthorization conf property https://github.com/JanssenProject/jans-auth-server/issues/105 * fix(4.3): removed redundant amr attribute reference. * feat(4.3): made mtls service ignore order during subject matching https://github.com/JanssenProject/jans-auth-server/issues/116 * feat(4.3): corrected typo https://github.com/JanssenProject/jans-auth-server/issues/117 * feat: Add sample passwordless authentication flow * DCR response should return 201 : indicates success + record persisted * Revert "DCR response should return 201 : indicates success + record persisted" This reverts commit 7ccdd40. * feat(4.3): added ability to skip authorization for introspection endpoint https://github.com/JanssenProject/jans-auth-server/issues/105 * feat: use right OC to execute authentication filter. Jans ORM #1 * fix: merge inum PCT generation code from Jans * feat: update server test profiles * feat: add missing SQL/Spanner conf files * feat: fix typo in names * feat: update default server profile * feat: update server test profiles * feat: sync with setup * fix: use right client keystores * feat: update server test profiles * feat: merge from Jans * feat: merge code from Jans * fix(4.3): corrected logging of consent gathering session service * fix(4.3): corrected logging of consent gathering session service * fix: use ldap sdk version which defined in ORM * feat: Support for platform authenticators as FIDO2 devices (touch ID in Apple devices) * feat: update libs * Fix: register prometheus counters once for giver registrar #1553 * feat: update libs * feat(4.3): forced stat scope for statistic endpoint #1554 * fix(4.3): ignore corrupted data during stat aggregation #1555 * feat(4.3): added statAuthorizationScope configuration property and enforced it #1554 * feat(4.3): removed oxauth-rp, rp-demo and rp-sprint-boot modules #1545 * ci: added updatePolicy: always to repo * fix(4.3): do not return session_id if sessionIdRequestParameterEnabled is false https://github.com/JanssenProject/jans-auth-server/issues/149 * feat: add pingid integration * chore: add README for casa script * chore: make README point to prod docs * feat: touch id as a fido2 device * docs: typo * fix: image not needed * fix: properly url decode query parameters in QueryStringDecoder * feat: added overload for url decode method in QueryStringDecoder * feat: update jquery * feat: add trace logging to dump redirect URI * feat(4.3): added organization to client * feat: Integrating Impossible travel feature by Deduce Insights in Passwordless Authentication flow. #1563 * fix: update to conform new ORM * fix: #1563 - moved code to seperate folder + implemented account lock on impossible travel detection * fix: fix oxEnrollmentCode custom attribute removal * feat : Interception script to integrate 2FA mechanism by Stytch with the Gluu Server #1564 * feat: casa plugin for Stytch Creds as a 2FA method * Version 4.3.0.Final * feat: temporary disable tests * Revert "feat: temporary disable tests" This reverts commit e6dcfda. * feat: force to use recent joda-time * fix(4.3): fixed persistence of session on acr changed detection #1552 * fix(4.3): removed filtering of stat endpoint Authorization is checked inside WS. * fix(4.3): added SSA and additional access token validation during client update #1567 * feat: added more logs to add user method * fix: consent Gathering Script is not working in 4.3.0 version. #1549 * fix: consent Gathering Script is not working in 4.3.0 version. #1549 * fix: consent Gathering Script is not working in 4.3.0 version. #1549 * fix(4.3): removed client_credentials token validation #1567 * Merge with 4.3.0 * Merge with 4.3.0 * Merge with 4.3.0 Co-authored-by: YuriyZ <yzabrovarniy@gmail.com> Co-authored-by: kdhttps <kdhttps@gmail.com> Co-authored-by: Christian <59786962+christian-hawk@users.noreply.github.com> Co-authored-by: Jose <bonustrack310@gmail.com> Co-authored-by: Madhumita <madhu@gluu.org> Co-authored-by: Arnab Dutta <arnab.bdutta@gmail.com> Co-authored-by: Djeumen Rolain <uprightech@gmail.com>
yurem
added a commit
to GluuFederation/community-edition-setup
that referenced
this issue
Oct 5, 2021
* fix post setup for scim * Casa's script for DUO * oxBiometricDevices, oxDUODevices * Putting oxDuoDevices and oxBiometricDevices at the bottom * oxBiometricDevices and oxDuoDevices are a part of gluuCustomPerson and not GluuPerson * fix custom_schema.json * change desc in custom_schema.json * (4.2.2) setup: revoke interception script sample GluuFederation/oxAuth#1502 * ask if oxtrust to be installed * couchase user pfrefix in datasource * fix version in post-setup * Version 4.2.2.Final * Version 4.2.3-SNAPSHOT * (4.2.2) setup: added ou=stat,o=gluu GluuFederation/oxAuth#1512 * (4.2.3) setup: added jansStatEntry OC GluuFederation/oxAuth#1512 * (4.2.3) setup: added jansId to indexes GluuFederation/oxAuth#1512 * change mod_ssl name for rhel7 * data type imapdata -> json for attrib 42E1 * ldap2cb: migrate to py3 and fixes * Make some SCIM attributes multivalued as in spec * Add multivalued data * Version 4.2.3.Final * (4.2.3) setup: added statWebServiceIntervalLimitInSeconds:60 GluuFederation/oxAuth#1512 * mod_ssl centos7 * Version 4.3.0.Final * Add u2f and fido2 test data * Add sample update_token script * Add sample update_token script * fixes templates * show version on tui * fixes * no-chroot install script * install missing packages * Add keepAliveInterval CB SDK support * F2 to display version info * python3-six dependency for gluu_setup.py * refactor: 4.3.0 setup * fix: oxd-server.default * fix: idp download * fix: don't backup same file * refactor: seperate argparser * refactor(rdbm): json files * fix: add ou=stat,o=gluu * feat: migrate Jans to Gluu OC * feat: migrate Jans to Gluu OC * refactor: rdbm works * feat(rdbm): installation * fix: gluu_installer.py for args * fix: radius installer * fix(rdbm): local install * fix(schema): add missing attributes * fix(rdbm): schema and sql data types * fix: gluuPerson * fix: update package list * fix: update installer for missing packages * fix: ruamel module * fix: add pylib path to encode.py * refactor: re-order installers * fix: encode.py * fix: doc_id gluu --> _ * fix: remov unused file db_utils_org.py * feat: add -n option to gluu_install.py * fix: change ce setup branch * feat: implement --no-progress * fix: redhat8 installs * feat: add -no-setup to installer * fix: typo * fix: enable opendj * re-add stat service attrbiutes * fix: generate schema * fix: set jetty timeout 300 * fix: set systemd tiemout * fix: spanner fixes * feat: logging config * fix: cb installation * refactor: log filename db-backend.log * feat: add --dist-server-base * fix: couchbase test data loading * fix: cn for uniqueness in ldap * fix: load test data for ldap * fix: test data loader ldap bind * fix: dsconfig after test data * fix: remove attrbiutes lifetime & salt * fix: implement spanner test data loader * fix: add del and exp to gluuPasswordResetRequest * fix: re-generate schema * feat: pre add base metric entries * feat: pre add base metric entries * feat: pre add base metric entries * fix: spacing * Update install.py added sqlalchemy extraction to ces_dir * fix: added ssnId to oxAuthUmaRPT * fix: added ssnId to oxAuthUmaPCT * fix: load ldif * fix(wrends): change display text to opendj * fix: spanner subtables * fix: couchbase install (ref: #741) * faet: review Spanner indexes #736 * fix: remote couchbase arg * faet: review Spanner indexes #736 * fix: mysql indexes (ref: #737) * fix: chown root:gluu gluuOptPythonFolder * fix(spanner): passport installation (ref: #740) * fix: creating o=metric related entries (ref: #742) * fix: ldap test data loader * fix: spanner test data loading * feat(test-data): display if test data will be loaded * feat(cert): download Apple WebAuthn Root CA * fix: setting couchbase admin password * fix: passport cert files mode * feat: merge test config changes from jans * fix: saml couchbase install (ref: #741) * fix: check if apache module is availabe before enabling (ref: #741) * feat: check user and group before adding * fix: remove wrong error line for rendering ecnode script * feat: check if opendj ports are free (ref: #743) * fix: /etc/certs permissions * feat: fix attribute names to conform Gluu shema * feat: update test CIBA configuration * feat: update test CIBA configuration * fix: test data additional columns creation * feat: fix configuration entry DN in server tests * fix: limit lenght of description for indexing * fix: set size 768 for description * fix: spanner test data columns * fix: cb test oxauth config * feat: update default server profile * feat: update default server profile * feat: update default server profile * fix: don't create gluuCustomPerson * fix: typo * feat: update default server profile * feat: command line backend options * fix: set couchbase host to hostname for local installation * fix: disable ssl ofr cb test profile * feat: merge scim properties from Jans * fix: couchbase hostname * fix: rdbm test data columns * fix: local mysql installation * fix: typo * fix: prepend plus sign GluuFederation/casa#138 * feat(tui): implement backends * fix: oxd server gluu storage config * fix: typo * fix: oxd-server progress string * fix: remote cb install * fix: remove tmp file * fix: create UMA SCIM resource (ref: #744) * fix: typo * fix: double backup when inserting lines to file * fix: scim-rp.jks goes to bot output and certs dir * feat: file descriptor limits for systemd services (ref: #734 #745 ) * fix: post install tasks * refactor(backend): disable rdbm * feat: re-try download three times on fail * Load module before config https://support.gluu.org/other/9790/bug-in-httpdconf/ * fix: passport certs ownerships * fix: remove sqlalchemy related code from install.py * fix: remove gluu_install.py if extracted within container * fix: chenage jetty version * fix: typo * Updated marketing messages Updated marketing messages * Revert "refactor(backend): disable rdbm" This reverts commit e204f11. * fix: re-do commit 0fc53c8 * fix: re-do commit 1ff6a74 * refactor(rdbm): suppress rdbm options * fix: scim istallation * fix: ownership of webapps dir (ref: #746) * feat(setup4.3): added stat scope GluuFederation/oxAuth#1554 * refactor(4.3setup): renamed scope stat -> jans_stat GluuFederation/oxAuth#1554 * fix: centos packages * chore: sync scim script wrt oxexternal * chore: remove comment * feat: add enable war updates to gluu_install.py * feat: extract sqlalchemy * feat: gluu_install.py update oxd-server * feat: dummy installation * feat: added o to oxAuthClient * fix: typo on help * fix: update shibboleth idp custom script * chore: adjust length casa attributes * fix: don't create config for oxd * feat: Touch ID as a fido2 device (platform authenticator) * feat: Adjust protection mode handling in SCIM See GluuFederation/scim#20 * feat: scim scopes (ref: #750) * feat: UMA mode for SCIM (ref: #752) * feat: dbUtils set config by dn * fix: find oxd_host when collecting properties * feat: fido installer add do_import arg * fix: collect properties for cb backend * fix: collect properties oxd_host * feat: backup option for copyFile * fix: collect properties casa for cb backend * fix: set_configuration for cb * feat: function determine_key_gen_path() * feat: conform script wrt latest changes GluuFederation/scim#18 * feat: Update OpenDJ version * feat: add jetty version * feat: adjust template for new field, see GluuFederation/scim#22 * fix: fix oxDeviceData size * fix: fic consent script api version * feat: jetty-10 integration * fix: jetty inifile * fix: jetty inifile * feat: jetty version is available with option -a * fix: arg parser * fix: spanner passport install * fix: spanner related issues * feat: gluu-utils * fix: check City in TUI (ref: #754) * fix: updated idp.properties for Shibboleth IDP install * feat: Casa plugin for Stytch Credentials * fix: use Final binaries * feat: remove oxaut-rp installation * fix: idp.session.slop entry in idp.properties prevents Shib IDP start * fix: opendj version 4.4.12 * fix: re-enable encoding setup.properties * fix: prevent casa client vanish * fix: Fix wrong steps count in consent script * fix: load setup.properties * fix: update jetty version * fix: mem calculation when setup.properties loaded * fix: set opendj ram constraint * fix: gluu-radius unable to start * fix: gluu-radius failed to start due to incorrect user/group * fix: ownership issue * fix: radius init.d script Co-authored-by: Mustafa Baser <mbaser@mail.com> Co-authored-by: Madhumita <madhu@gluu.org> Co-authored-by: YuriyZ <yzabrovarniy@gmail.com> Co-authored-by: Jose <bonustrack310@gmail.com> Co-authored-by: David <nikdavnik@gmail.com> Co-authored-by: Ganesh <ganesh.sharma@worldiswelcome.com> Co-authored-by: Mike Schwartz <mike@gluu.org> Co-authored-by: Djeumen Rolain <uprightech@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the issue
Feat: stat endpoint must require specific scope during authorization check (needed for both oxauth and jans).
Requested by Mike.
Required scope:
jans_stat(not visible on discovery by default.)The text was updated successfully, but these errors were encountered: