feat(jans-auth-server): Token Status List support

[yuriyz]

Description

feat(jans-auth-server): Token Status List support

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-status-list-02#name-status-list

Target issue

closes #8562

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	23 findings
SQL Injection Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request focus on enhancing the token management and status tracking functionality in the Janssen Project's authentication server. The key changes include:

1. Token Status List: The introduction of a "Status List" feature that allows the server to maintain a list of token status indices. This feature is implemented through the addition of new classes and properties to track the status of various token entities, such as access tokens, refresh tokens, and authorization codes.

2. Token Status Tracking: The addition of a statusListIndex property to various token entities, which is used to associate a status index with each token. This allows the server to efficiently track the status of issued tokens.

3. Token Status Handling: Updates to the token-related methods, such as createAccessTokenAsJwt() and asTokenEntity(), to incorporate the new status list index information when generating and storing tokens.

4. Feature Flag Management: The introduction of a new feature flag called "STATUS_LIST" to control the availability of the status list functionality. This allows the server to enable or disable the status list feature based on the application configuration.

From an application security perspective, these changes do not introduce any obvious security vulnerabilities. The focus on improving token management and status tracking is a positive step, as it can help the application better detect and respond to potential token-related security issues, such as unauthorized access or token revocation.

However, it is important to ensure that the implementation of the status list feature is secure and does not introduce any unintended security risks. This includes reviewing the handling of status list-related data, the security of the status list service and index service, and the overall impact on the application's performance and scalability.

Files Changed:

1. jans-auth-server/client/src/main/java/io/jans/as/client/OpenIdConfigurationResponse.java: Adds a new statusListEndpoint property to the OpenIdConfigurationResponse class.
2. jans-auth-server/client/src/main/java/io/jans/as/client/StatusListClient.java: Introduces a new StatusListClient class to handle interactions with the status list endpoint.
3. jans-auth-server/client/src/main/java/io/jans/as/client/OpenIdConfigurationClient.java: Adds a new setStatusListEndpoint method to the parse function.
4. jans-auth-server/client/src/test/java/io/jans/as/client/ws/rs/GrantTypesRestrictionHttpTest.java: Adds a new test suite for verifying grant type and response type restrictions.
5. jans-auth-server/client/src/test/java/io/jans/as/client/ws/rs/RegistrationRestWebServiceHttpTest.java: Updates the test suite to use the correct grant type name.
6. jans-auth-server/client/src/test/java/io/jans/as/client/ws/rs/StatusListHttpTest.java: Adds a new test suite for the status list functionality.
7. jans-auth-server/client/src/test/java/io/jans/as/client/ws/rs/uma/UmaSpontaneousScopeHttpTest.java: Updates the test suite to use the correct grant type name.
8. jans-auth-server/client/src/test/java/io/jans/as/client/ws/rs/uma/ClientAuthenticationByAccessTokenHttpTest.java: Updates the test suite to use the correct grant type name.
9. jans-auth-server/model/src/main/java/io/jans/as/model/common/GrantType.java: Renames the OXAUTH_UMA_TICKET grant type to UMA_TICKET.
10. jans-auth-server/model/src/main/java/io/jans/as/model/common/FeatureFlagType.java: Adds a new "STATUS_LIST" feature flag.
11. jans-auth-server/model/src/main/java/io/jans/as/model/config/BaseDnConfiguration.java: Adds two new properties, "node" and "statusIndexPool", to the BaseDnConfiguration class.
12. `jans-auth-server/model/src/main/java/io/jans/

Powered by DryRun Security

[sonarcloud]

Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'agama parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'Jans-Keycloak-Link'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'jans-core'

Issues
7 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'Fido2 API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'SCIM API'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[sonarcloud]

Quality Gate passed for 'keycloak-integration-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud