DryRunSecurity / Authn/Authz Analyzer
succeeded
Jun 24, 2024 in 10s
Details
Authn/Authz Analyzer Findings: 9 detected
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/api/admin/client/model/ManagedSamlClient.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The code contains several functions related to authentication and authorization, such as samlShoulDocumentsBeSigned , samlSignAssertions , samlForcePostBinding , samlEncryptAssertions , and samlForceArtifactBinding . These functions are likely part of the SAML (Security Assertion Markup Language) authentication flow, which is a common mechanism for managing user authentication and authorization in web applications. |
Filename |
jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/api/admin/client/model/ManagedSamlClient.java |
CodeLink |
|
clientRepresentation.setAuthenticationFlowBindingOverrides(authnFlowBindingOverrides); |
|
|
|
//set default saml attributes |
|
samlShoulDocumentsBeSigned(true); |
|
samlSignAssertions(true); |
|
samlForcePostBinding(false); |
|
samlEncryptAssertions(false); |
|
samlForceArtifactBinding(false); |
|
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The code appears to be updating a managed SAML client protocol mapper, which is likely related to authentication or authorization functionality. The ManagedSamlClient and ProtocolMapper classes suggest that this code is dealing with SAML (Security Assertion Markup Language) authentication and/or authorization mechanisms. |
Filename |
jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java |
CodeLink |
|
log.debug("Updating managed client released attribute. Client id: {} / Attribute name: {}",client.clientId(),releasedattribute.getName()); |
|
ProtocolMapper newmapper = ProtocolMapper |
|
.samlUserAttributeMapper(mapper) |
|
.jansAttributeName(releasedattribute.getName()) |
|
.build(); |
|
keycloakApi.updateManagedSamlClientProtocolMapper(realm, client,newmapper); |
|
} |
|
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The code contains a reference to a 'keycloakApi' object, which suggests that it is interacting with an authentication/authorization system, likely Keycloak. The constructor initializes several variables related to Keycloak, such as the realm, SAML user attribute mapper, and authentication flow. These are all components that are typically associated with authentication and authorization functionality in web applications. |
Filename |
jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java |
CodeLink |
|
this.keycloakApi = App.keycloakApi(); |
|
this.realm = App.configuration().keycloakResourcesRealm(); |
|
this.samlUserAttributeMapperId = App.configuration().keycloakResourcesSamlUserAttributeMapper(); |
|
this.authnBrowserFlow = keycloakApi.getAuthenticationFlowFromAlias(realm,App.configuration().keycloakResourcesBrowserFlowAlias()); |
|
} |
|
|
|
@Override |
|
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The code contains functions related to authentication or authorization because it involves managing a 'ManagedSamlClient' and adding 'ProtocolMapper' objects to it. This suggests that the code is part of an authentication or authorization flow, as SAML (Security Assertion Markup Language) is a widely used authentication and authorization protocol. |
Filename |
jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java |
CodeLink |
|
List<ProtocolMapper> protmappers = releasedattributes.stream().map((r)-> { |
|
log.debug("Preparing to add released attribute {} to managed saml client with clientId {}",r.getName(),client.clientId()); |
|
return ProtocolMapper |
|
.samlUserAttributeMapper(samlUserAttributeMapperId) |
|
.name(generateKeycloakUniqueProtocolMapperName(r)) |
|
.jansAttributeName(r.getName()) |
|
.build(); |
|
}).toList(); |
|
|
|
keycloakApi.addProtocolMappersToManagedSamlClient(realm, client, protmappers); |
|
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCAccessToken.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The code appears to be an interface named 'OIDCAccessToken', which suggests that it is related to authentication or authorization mechanisms in an OIDC (OpenID Connect) application. Access tokens are typically used to authenticate and authorize users in such applications, so the presence of this interface indicates that the code may contain functions or methods related to authentication or authorization. |
Filename |
jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCAccessToken.java |
CodeLink |
|
package io.jans.kc.oidc; |
|
|
|
public interface OIDCAccessToken { |
|
|
|
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCAuthRequest.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The code contains variables related to OpenID Connect (OIDC) authentication, such as 'clientId', 'state', 'nonce', 'scopes', 'responseTypes', and 'redirectUri'. These are common parameters used in the OIDC authentication flow, which is a widely used authentication and authorization protocol. The presence of these variables suggests that the code is likely handling authentication-related functionality. |
Filename |
jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCAuthRequest.java |
CodeLink |
|
this.clientId = null; |
|
this.state = null; |
|
this.nonce = null; |
|
this.scopes = new ArrayList<>(); |
|
this.responseTypes = new ArrayList<>(); |
|
this.redirectUri = null; |
|
} |
|
|
|
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCMetaCacheKeys.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The code contains constants related to OIDC (OpenID Connect) authentication flow, such as AUTHORIZATION_URL , TOKEN_URL , and USERINFO_URL . These constants are typically used in implementing OIDC authentication and authorization mechanisms in web applications, which are considered sensitive functions. |
Filename |
jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCMetaCacheKeys.java |
CodeLink |
|
package io.jans.kc.oidc; |
|
|
|
public class OIDCMetaCacheKeys { |
|
public static final String AUTHORIZATION_URL = "oidc.authorization.url"; |
|
public static final String TOKEN_URL = "oidc.token.url"; |
|
public static final String USERINFO_URL = "oidc.userinfo.url"; |
|
|
|
private OIDCMetaCacheKeys() { |
|
//private constructor |
|
} |
|
} |
|
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCRefreshToken.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The code snippet contains an interface named 'OIDCRefreshToken', which suggests that it is related to handling OAuth/OIDC refresh tokens. Refresh tokens are commonly used in authentication and authorization flows, so the presence of this interface indicates that the code may contain functions or methods related to authentication or authorization. |
Filename |
jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCRefreshToken.java |
CodeLink |
|
package io.jans.kc.oidc; |
|
|
|
public interface OIDCRefreshToken { |
|
|
|
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCUserInfoRequestError.java (click for details)
|
|
Type |
Potential Authn/Authz Function Used or Modified |
Description |
The class 'OIDCUserInfoRequestError' extends the 'Exception' class, which is typically used for handling authentication or authorization-related errors in web applications. This suggests that the code may contain functions or methods related to authentication or authorization processes. |
Filename |
jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCUserInfoRequestError.java |
CodeLink |
|
package io.jans.kc.oidc; |
|
|
|
public class OIDCUserInfoRequestError extends Exception { |
|
|
|