feat(jans-auth-server): Token Status List support #8620
Conversation
Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
#8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
mo-auto
added
comp-jans-auth-server
|
Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.
Note 🟢 Risk threshold not exceeded. Change Summary (click to expand)The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective. Summary: The code changes in this pull request focus on enhancing the token management and status tracking functionality in the Janssen Project's authentication server. The key changes include:
From an application security perspective, these changes do not introduce any obvious security vulnerabilities. The focus on improving token management and status tracking is a positive step, as it can help the application better detect and respond to potential token-related security issues, such as unauthorized access or token revocation. However, it is important to ensure that the implementation of the status list feature is secure and does not introduce any unintended security risks. This includes reviewing the handling of status list-related data, the security of the status list service and index service, and the overall impact on the application's performance and scalability. Files Changed:
Powered by DryRun Security |
… jans-auth-server-8562
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
#8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
…ndex. #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
…-auth-server-8562
#8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com>
Signed-off-by: YuriyZ <yzabrovarniy@gmail.com>
|
|
|
|
|
|
|
Signed-off-by: pujavs <pujas.works@gmail.com>
|
|
* chore(jans-auth-server): renamed OXAUTH_UMA_TICKET -> UMA_TICKET Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): Token Status List support #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * fix(jans-auth-server): corrected requestContext and azd decoding #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): added token status list endpoint and status claim with index. #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth): new cluster beans and services Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth-server): added head index to list #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth): move beans to core model Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth): add index range to TokenPool Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth-server): added application/statuslist+json support #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth): add methods to allocate/release TokenPool Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth): fix TokenPool sort Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth): implement method to get nextIndex for token Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth): implement method to get nextIndex for token Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth): instead of using token list status use expiration date Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * fix(jans-auth-server): fixed index during list joins and npe on nextIndex. #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): populate statusListIndex in access and id tokens #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth): add ClusterNode services Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth): add node base dn Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth-server): added status list update on revoke #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * fix after merge Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth): add schema for new entries Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth): fix allocate Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth): fix cluster nodes expiration Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth-server): added status list as jwt support #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth): Deprecate TokenPoolStatus Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth): implement updateWithLock for concurent lock on revoke Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth-server): use updateWithLock during status update index #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): update status list on token revoke in separate thread #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): renamed TokenPool -> StatusTokenPool, TokenPoolService -> StatusTokenPoolService #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): removed token head index (we are using status token pools instead) #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): added status list to swagger #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): added ou=node,o=jans to config #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): throw configuration exception if node baseDn is missed #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): set status_list feature flag enabled by default #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * fix(jans-auth-server): fixed node allocation #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * fix(jans-auth-server): corrected bug in getClusterNodeLast #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): keep lockKey static and save in jansNode after locking #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * fix(jans-auth-server): different fixes for cluster node management #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * fix(jans-auth-server): fixed allocation of status index pools #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * chore(jans-auth-server): added more logs for status index pool allocation #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth): igore timezone when DB is PostgresSQL Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth): fetch all node entries if DB is LDAP Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> * feat(jans-auth-server): added status list client #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * fix(jans-auth-server): fixed pool allocation #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * chore(jans-auth-server): renamed endpoint /token_status_list -> /status_list #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-orm): resovle bean property name with AttributeName #8773 * chore(jans-auth-server): renamed token_status_list -> status_list #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * chore(jans-auth-server): token statuses VALID - 0, INVALID - 1 #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * chore(jans-auth-server): moved status list to model for re-using #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): added batch index update and fixed concurrent update issue #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): use new index update method in existing revoke code #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * fix(jans-auth-server): fixed status pool index joining #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * chore(jans-auth-server): code improvements #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * test(jans-auth-server): added full integration test for status list #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * test(jans-auth-server): added test for CN case #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * feat(jans-auth-server): mark indexes which we are about to re-use as VALID #8562 Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * code re-format Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> * docs(config-api): regenerating config swagger api Signed-off-by: pujavs <pujas.works@gmail.com> --------- Signed-off-by: YuriyZ <yzabrovarniy@gmail.com> Signed-off-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> Signed-off-by: pujavs <pujas.works@gmail.com> Co-authored-by: Yuriy Movchan <Yuriy.Movchan@gmail.com> Co-authored-by: pujavs <pujas.works@gmail.com> Co-authored-by: Mohammad Abudayyeh <47318409+moabu@users.noreply.github.com> Former-commit-id: 51101e4
Description
feat(jans-auth-server): Token Status List support
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-status-list-02#name-status-list
Target issue
closes #8562
Test and Document the changes