chore: remove usage of agama_flow param in plugin

[jgomer2001]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #8735

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

[dryrunsecurity]

Hi there 👋, @DryRunSecurity here, below is a summary of our analysis and findings.

DryRun Security	Status	Findings
Server-Side Request Forgery Analyzer	✅	0 findings
Configured Codepaths Analyzer	✅	0 findings
Secrets Analyzer	✅	0 findings
Authn/Authz Analyzer	❕	2 findings
SQL Injection Analyzer	✅	0 findings
Sensitive Files Analyzer	❕	1 finding
IDOR Analyzer	✅	0 findings

Note

🟢 Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy 🤖. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes cover several files related to the "acct-linking" plugin within the "jans-casa" project. The key changes include:

1. Addition of a new dependency on the "jans-auth-model" artifact in the pom.xml file, which is likely used for authentication-related functionality within the plugin.
2. Enhancements to the "Casa" application, which is responsible for handling external authentication provider integration and multi-factor authentication (MFA) policies.
3. Modifications to the SiteRedirectVM.java file, which is part of the "acct-linking" plugin, to handle the account linking functionality, including the use of Base64 encoding for sensitive data and the storage of a uidRef value in the cache.

From an application security perspective, the key focus should be on ensuring that the new dependency is secure and properly integrated, that the external authentication provider integration and MFA handling are implemented securely, and that the account linking functionality, including the use of Base64 encoding and cache storage, follows best practices for authentication and authorization.

Files Changed:

1. jans-casa/plugins/acct-linking/pom.xml:

   • Addition of a new dependency on the jans-auth-model artifact.
   • Configuration of the maven-assembly-plugin to include plugin metadata.
   • Addition of the spotbugs-maven-plugin for static code analysis.

2. jans-casa/plugins/acct-linking/extras/Casa.py:

   • Functionality to handle authentication requests from external providers.
   • Logic to determine the appropriate MFA method based on user preferences and available authentication modules.
   • Trusted devices management, including storage and retrieval of device information.
   • Use of security-related libraries and utilities, such as Base64Util and EncryptionService.
   • Extensive error handling and logging mechanisms.

3. jans-casa/plugins/acct-linking/src/main/java/io/jans/casa/plugins/acctlinking/vm/SiteRedirectVM.java:

   • Addition of the Base64Util class for encoding/decoding data.
   • Modification of the makeOAuthParams method to include the acr_values parameter with a Base64-encoded string.
   • Introduction of the buildFlowParams method to generate the Base64-encoded string for the acr_values parameter.
   • Storage of the uidRef value in the cache, which should be reviewed for potential security implications.

Powered by DryRun Security

[ossdhaval]

Hi @jgomer2001

Does this have impact on documentation? I found couple of pages where agama_flow is mentioned. Can you see if these need to be updated?

[jgomer2001]

Good catch:
#8758