Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-keycloak-integration): enhancements to keycloak integration #8614 #8747

Merged
merged 40 commits into from
Jun 24, 2024

feat(jans-keycloak-integration): enhancements to jans-keycloak-integr…

d5f9221
Select commit
Loading
Failed to load commit list.
Merged

feat(jans-keycloak-integration): enhancements to keycloak integration #8614 #8747

feat(jans-keycloak-integration): enhancements to jans-keycloak-integr…
d5f9221
Select commit
Loading
Failed to load commit list.
DryRunSecurity / Authn/Authz Analyzer succeeded Jun 24, 2024 in 10s

DryRun Security

Details

Authn/Authz Analyzer Findings: 9 detected

⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/api/admin/client/model/ManagedSamlClient.java (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains several functions related to authentication and authorization, such as samlShoulDocumentsBeSigned, samlSignAssertions, samlForcePostBinding, samlEncryptAssertions, and samlForceArtifactBinding. These functions are likely part of the SAML (Security Assertion Markup Language) authentication flow, which is a common mechanism for managing user authentication and authorization in web applications.
Filename jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/api/admin/client/model/ManagedSamlClient.java
CodeLink

jans/jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/api/admin/client/model/ManagedSamlClient.java

Lines 152 to 159 in d5f9221

clientRepresentation.setAuthenticationFlowBindingOverrides(authnFlowBindingOverrides);
//set default saml attributes
samlShoulDocumentsBeSigned(true);
samlSignAssertions(true);
samlForcePostBinding(false);
samlEncryptAssertions(false);
samlForceArtifactBinding(false);
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code appears to be updating a managed SAML client protocol mapper, which is likely related to authentication or authorization functionality. The ManagedSamlClient and ProtocolMapper classes suggest that this code is dealing with SAML (Security Assertion Markup Language) authentication and/or authorization mechanisms.
Filename jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java
CodeLink

jans/jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java

Lines 222 to 228 in d5f9221

log.debug("Updating managed client released attribute. Client id: {} / Attribute name: {}",client.clientId(),releasedattribute.getName());
ProtocolMapper newmapper = ProtocolMapper
.samlUserAttributeMapper(mapper)
.jansAttributeName(releasedattribute.getName())
.build();
keycloakApi.updateManagedSamlClientProtocolMapper(realm, client,newmapper);
}
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains a reference to a 'keycloakApi' object, which suggests that it is interacting with an authentication/authorization system, likely Keycloak. The constructor initializes several variables related to Keycloak, such as the realm, SAML user attribute mapper, and authentication flow. These are all components that are typically associated with authentication and authorization functionality in web applications.
Filename jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java
CodeLink

jans/jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java

Lines 39 to 45 in d5f9221

this.keycloakApi = App.keycloakApi();
this.realm = App.configuration().keycloakResourcesRealm();
this.samlUserAttributeMapperId = App.configuration().keycloakResourcesSamlUserAttributeMapper();
this.authnBrowserFlow = keycloakApi.getAuthenticationFlowFromAlias(realm,App.configuration().keycloakResourcesBrowserFlowAlias());
}
@Override
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains functions related to authentication or authorization because it involves managing a 'ManagedSamlClient' and adding 'ProtocolMapper' objects to it. This suggests that the code is part of an authentication or authorization flow, as SAML (Security Assertion Markup Language) is a widely used authentication and authorization protocol.
Filename jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java
CodeLink

jans/jans-keycloak-integration/job-scheduler/src/main/java/io/jans/kc/scheduler/TrustRelationshipSyncJob.java

Lines 208 to 217 in d5f9221

List<ProtocolMapper> protmappers = releasedattributes.stream().map((r)-> {
log.debug("Preparing to add released attribute {} to managed saml client with clientId {}",r.getName(),client.clientId());
return ProtocolMapper
.samlUserAttributeMapper(samlUserAttributeMapperId)
.name(generateKeycloakUniqueProtocolMapperName(r))
.jansAttributeName(r.getName())
.build();
}).toList();
keycloakApi.addProtocolMappersToManagedSamlClient(realm, client, protmappers);
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCAccessToken.java (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code appears to be an interface named 'OIDCAccessToken', which suggests that it is related to authentication or authorization mechanisms in an OIDC (OpenID Connect) application. Access tokens are typically used to authenticate and authorize users in such applications, so the presence of this interface indicates that the code may contain functions or methods related to authentication or authorization.
Filename jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCAccessToken.java
CodeLink

jans/jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCAccessToken.java

Lines 1 to 4 in d5f9221

package io.jans.kc.oidc;
public interface OIDCAccessToken {
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCAuthRequest.java (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains variables related to OpenID Connect (OIDC) authentication, such as 'clientId', 'state', 'nonce', 'scopes', 'responseTypes', and 'redirectUri'. These are common parameters used in the OIDC authentication flow, which is a widely used authentication and authorization protocol. The presence of these variables suggests that the code is likely handling authentication-related functionality.
Filename jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCAuthRequest.java
CodeLink

jans/jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCAuthRequest.java

Lines 17 to 24 in d5f9221

this.clientId = null;
this.state = null;
this.nonce = null;
this.scopes = new ArrayList<>();
this.responseTypes = new ArrayList<>();
this.redirectUri = null;
}
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCMetaCacheKeys.java (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code contains constants related to OIDC (OpenID Connect) authentication flow, such as AUTHORIZATION_URL, TOKEN_URL, and USERINFO_URL. These constants are typically used in implementing OIDC authentication and authorization mechanisms in web applications, which are considered sensitive functions.
Filename jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCMetaCacheKeys.java
CodeLink

jans/jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCMetaCacheKeys.java

Lines 1 to 11 in d5f9221

package io.jans.kc.oidc;
public class OIDCMetaCacheKeys {
public static final String AUTHORIZATION_URL = "oidc.authorization.url";
public static final String TOKEN_URL = "oidc.token.url";
public static final String USERINFO_URL = "oidc.userinfo.url";
private OIDCMetaCacheKeys() {
//private constructor
}
}
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCRefreshToken.java (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The code snippet contains an interface named 'OIDCRefreshToken', which suggests that it is related to handling OAuth/OIDC refresh tokens. Refresh tokens are commonly used in authentication and authorization flows, so the presence of this interface indicates that the code may contain functions or methods related to authentication or authorization.
Filename jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCRefreshToken.java
CodeLink

jans/jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCRefreshToken.java

Lines 1 to 4 in d5f9221

package io.jans.kc.oidc;
public interface OIDCRefreshToken {
⚠️ Potential Authn/Authz Function Used or Modified jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCUserInfoRequestError.java (click for details)
Type Potential Authn/Authz Function Used or Modified
Description The class 'OIDCUserInfoRequestError' extends the 'Exception' class, which is typically used for handling authentication or authorization-related errors in web applications. This suggests that the code may contain functions or methods related to authentication or authorization processes.
Filename jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCUserInfoRequestError.java
CodeLink

jans/jans-keycloak-integration/spi/src/main/java/io/jans/kc/oidc/OIDCUserInfoRequestError.java

Lines 1 to 4 in d5f9221

package io.jans.kc.oidc;
public class OIDCUserInfoRequestError extends Exception {
View more details on DryRunSecurity