You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Static code analysis has been run locally and issues have been fixed
Relevant unit and integration tests have been added/updated
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.
I confirm that there is no impact on the docs due to the code changes in this PR.
The pull request focuses on improving the security and functionality of the User Info endpoint in the Jans Auth Server application by implementing a new UserInfoService class, modifying the UserInfoRestWebServiceImpl class, adding documentation, and implementing unit tests.
Expand for full summary
Summary:
The code changes in this pull request are focused on improving the security and functionality of the User Info endpoint in the Jans Auth Server application. The changes include:
Implementing a new UserInfoService class to handle the population of the JsonWebResponse object with necessary claims, such as the JSON Web Token ID (jti) and the client ID (client_id). This helps ensure the integrity and traceability of the user information being returned.
Modifying the UserInfoRestWebServiceImpl class to use the new UserInfoService and to perform thorough validation of the access token and authorization grant before processing the user information request. This helps prevent unauthorized access to user data.
Adding documentation for the User Info endpoint, which explicitly states the required claims in the response, including sub, jti, and client_id. This promotes consistency and clarity in the API.
Implementing unit tests for the UserInfoService class to ensure the correct handling of the required claims in the JsonWebResponse object. This helps maintain the security and reliability of the user information handling process.
From an application security perspective, these changes are generally positive and do not introduce any obvious security concerns. However, it is important to continue to monitor the security of the User Info endpoint and ensure that it is properly secured, including:
Implementing robust access control mechanisms to restrict access to authorized parties
Thoroughly validating all input parameters to prevent injection attacks
Carefully handling any sensitive user information returned by the endpoint
Implementing proper error handling and logging to prevent the exposure of sensitive information
By maintaining a strong security posture around the User Info endpoint, the Jans Auth Server application can ensure the confidentiality and integrity of user data, which is crucial for maintaining user trust and compliance with security and privacy regulations.
Error: Hi @yuriyz, You did not reference an open issue in your PR. I attempted to create an issue for you.
Please update that issues' title and body and make sure I correctly referenced it in the above PRs body.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
mo-auto
added
area-documentation
Description
feat(jans-auth-server): added jti and client_id to userinfo
Target issue
closes #8763
Test and Document the changes
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with
docs:to indicate documentation changes or if the below checklist is not selected.Closes #8922,