Add origin parameter in Fido2ExternalAuthenticator script for attesta…

…tion and assertion API calls #9248 (#9974)

* feat(jans-fido2): add origin parameter in Fido2ExternalAuthenticator script for attestation and assertion API calls

Signed-off-by: imran-ishaq <[email protected]>

* refactor(docs): add origin parameter in Fido2ExternalAuthenticator script for attestation and assertion API calls #9248

Signed-off-by: imran-ishaq <[email protected]>

* fix(jans-fido2): handle origin if http or https is missing #9248

Signed-off-by: imran-ishaq <[email protected]>

---------

Signed-off-by: imran-ishaq <[email protected]>

docs/script-catalog/person_authentication/fido2-external-authenticator/Fido2ExternalAuthenticator.py

@@ -177,7 +177,7 @@ def prepareForStep(self, configurationAttributes, requestParameters, step):
 
                 try:
                     assertionService = Fido2ClientFactory.instance().createAssertionService(metaDataConfiguration)
-                    assertionRequest = json.dumps({'username': userName}, separators=(',', ':'))
+                    assertionRequest = json.dumps({'username': userName, 'origin', domain}, separators=(',', ':'))
                     assertionResponse = assertionService.authenticate(assertionRequest).readEntity(java.lang.String)
                     print "assertionResponse %s " % assertionResponse
 
@@ -190,7 +190,7 @@ def prepareForStep(self, configurationAttributes, requestParameters, step):
                 try:
                     attestationService = Fido2ClientFactory.instance().createAttestationService(metaDataConfiguration)
 
-                    basic_json = {'username': userName, 'displayName': userName}
+                    basic_json = {'username': userName, 'displayName': userName, 'origin', domain}
 
 
                     print " basic_json %s" % basic_json

jans-fido2/model/src/main/java/io/jans/fido2/model/attestation/AttestationErrorResponseType.java

@@ -54,6 +54,11 @@ public enum AttestationErrorResponseType implements IErrorType {
      * Fido U2F validation error
      */
     FIDO_U2F_ERROR("fido_u2f_error"),
+
+    /**
+     * Attestation Origin validation error
+     */
+    INVALID_ORIGIN("invalid_origin"),
     ;
 
     private final String paramName;

jans-fido2/server/src/main/java/io/jans/fido2/service/operation/AssertionService.java

@@ -144,7 +144,7 @@ public AssertionOptionsResponse options(AssertionOptions assertionOptions) {
 		log.debug("Put challenge {}", challenge);
 
 		// Put RP
-		String origin = commonVerifiers.verifyRpDomain(assertionOptions.getOrigin(),appConfiguration.getIssuer());
+		String origin = commonVerifiers.verifyRpDomain(assertionOptions.getOrigin(),appConfiguration.getIssuer(), appConfiguration.getFido2Configuration().getRequestedParties());
 		assertionOptionsResponse.setRpId(origin);
 		log.debug("Put rpId {}", origin);
 
@@ -232,7 +232,7 @@ public AsserOptGenerateResponse generateOptions(AssertionOptionsGenerate asserti
 		log.debug("Put challenge {}", challenge);
 
 		// Put RP
-		String origin = commonVerifiers.verifyRpDomain(assertionOptionsGenerate.getOrigin(), appConfiguration.getIssuer());
+		String origin = commonVerifiers.verifyRpDomain(assertionOptionsGenerate.getOrigin(), appConfiguration.getIssuer(), appConfiguration.getFido2Configuration().getRequestedParties());
 		asserOptGenerateResponse.setRpId(origin);
 		log.debug("Put rpId {}", origin);
 

jans-fido2/server/src/main/java/io/jans/fido2/service/operation/AttestationService.java

@@ -136,7 +136,7 @@ public PublicKeyCredentialCreationOptions options(AttestationOptions attestation
 		pubKeyCredParams.stream().forEach(ele -> log.debug("Put pubKeyCredParam {}", ele.toString()));
 
 		// Put RP
-		String origin = commonVerifiers.verifyRpDomain(attestationOptions.getOrigin(), appConfiguration.getIssuer());
+		String origin = commonVerifiers.verifyRpDomain(attestationOptions.getOrigin(), appConfiguration.getIssuer(), appConfiguration.getFido2Configuration().getRequestedParties());
 		RelyingParty relyingParty = createRpDomain(origin);
 		log.debug("Relying Party: "+relyingParty);
 

jans-fido2/server/src/main/java/io/jans/fido2/service/verifier/CommonVerifiers.java

@@ -22,6 +22,7 @@
 import io.jans.fido2.model.attestation.AttestationOptions;
 import io.jans.fido2.model.attestation.AttestationResult;
 import io.jans.fido2.model.attestation.Response;
+import io.jans.fido2.model.conf.RequestedParty;
 import io.jans.fido2.model.error.ErrorResponseFactory;
 import org.apache.commons.codec.binary.Hex;
 import org.apache.commons.codec.digest.DigestUtils;
@@ -85,13 +86,28 @@ public void verifyRpIdHash(AuthData authData, String domain) {
         }
     }
 
-    public String verifyRpDomain(String origin, String rpId) {
-
-        if (Strings.isNullOrEmpty(origin)) {
-            origin = rpId;
+    public String verifyRpDomain(String origin, String rpId, List<RequestedParty> requestedParties) {
+
+        origin = Strings.isNullOrEmpty(origin) ? rpId : origin;
+        if (!origin.startsWith("http://") && !origin.startsWith("https://")) {
+            origin = "https://" + origin;
         }
         origin = networkService.getHost(origin);
-        log.debug("Returning rp id : "+ origin);
+        log.debug("Resolved origin to RP ID: " + origin);
+
+        // Check if requestedParties is null or empty
+        if (requestedParties == null || requestedParties.isEmpty()) {
+            return origin;
+        }
+        // Check if the origin exists in any of the RequestedParties origins
+        String finalOrigin = origin;
+        boolean originExists = requestedParties.stream()
+                .flatMap(requestedParty -> requestedParty.getOrigins().stream())
+                .anyMatch(allowedOrigin -> allowedOrigin.equals(finalOrigin));
+
+        if (!originExists) {
+            throw errorResponseFactory.badRequestException(AttestationErrorResponseType.INVALID_ORIGIN, "The origin '" + origin + "' is not listed in the allowed origins.");
+        }
         return origin;
     }