fix(jans-auth-server): agama_flow acr in id_token does not correspond to acr in request #8692

[yuriyz]

Description

fix(jans-auth-server): agama_flow acr in id_token does not correspond to acr in request #8692

Target issue

closes #8692

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
IDOR Analyzer	✅	0 findings
Sensitive Files Analyzer	✅	0 findings
Authn/Authz Analyzer	✅	0 findings
AppSec Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The code changes in this pull request are focused on enhancing the security and reliability of the authentication and authorization processes in the Jans Auth Server application. The changes primarily address the handling of the "Agama" Authentication Context Class Reference (ACR) value, the validation of ACR values, and the optimization of the authorization flow.

Key security-related aspects of the changes include:

1. ACR Handling: The changes introduce improvements in the handling of the "Agama" ACR value, ensuring that it is properly compared, mapped, and validated against the client's authorized ACR values.
2. ACR Validation: The code updates the ACR validation process to check both the actual ACR values and the mapped ACR values, helping to prevent unauthorized access or privilege escalation.
3. Authorization Flow Optimization: The changes optimize the authorization flow, including handling ACR changes, validating redirection URIs, managing the consent process, and integrating with the Client Initiated Backchannel Authentication (CIBA) flow.

These changes aim to enhance the overall security and reliability of the authentication and authorization processes in the Jans Auth Server application.

Files Changed:

1. jans-auth-server/server/src/main/java/io/jans/as/server/auth/Authenticator.java:

   • Introduces a new check for the "Agama" ACR value and updates the authentication workflow to handle external authentication scripts.
   • Ensures that the appropriate authentication steps are followed and the session state is properly maintained.

2. jans-auth-server/server/src/main/java/io/jans/as/server/service/AcrService.java:

   • Improves the handling and validation of the "Agama" ACR value, including case-insensitive comparison and parameter removal.
   • Enhances the client-authorized ACR validation process.

3. jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeAction.java:

   • Handles the scenario where the ACR value has changed between the initial authorization request and the current request.
   • Optimizes the handling of the "agama" ACR value.
   • Validates the redirection URI and handles the consent flow to ensure a secure authorization process.
   • Integrates with the CIBA flow to enhance the security of the authentication process.

Overall, the changes in this pull request focus on improving the security and reliability of the authentication and authorization functionalities in the Jans Auth Server application.

Powered by DryRun Security