-
Notifications
You must be signed in to change notification settings - Fork 74
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(jans-fido2): major FIDO2 / Passkeys upgrade ProjectPasskeys #10078
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJETTISON-3033152
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJETTISON-3033152 Co-authored-by: snyk-bot <[email protected]>
Bumps commons-text from 1.9 to 1.10.0. --- updated-dependencies: - dependency-name: org.apache.commons:commons-text dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJETTISON-3033152 - https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJETTISON-3037311
…erabilities (#972) The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGJBOSSRESTEASY-1009963 - https://snyk.io/vuln/SNYK-JAVA-ORGJBOSSRESTEASY-1058913 - https://snyk.io/vuln/SNYK-JAVA-ORGJBOSSRESTEASY-1085989 - https://snyk.io/vuln/SNYK-JAVA-ORGJBOSSRESTEASY-1303102 Co-authored-by: pujavs <[email protected]>
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGECLIPSEJETTY-2945452 Co-authored-by: pujavs <[email protected]>
Bumps [postgresql](https://github.com/pgjdbc/pgjdbc) from 42.5.0 to 42.5.1. - [Release notes](https://github.com/pgjdbc/pgjdbc/releases) - [Changelog](https://github.com/pgjdbc/pgjdbc/blob/master/CHANGELOG.md) - [Commits](pgjdbc/pgjdbc@REL42.5.0...REL42.5.1) --- updated-dependencies: - dependency-name: org.postgresql:postgresql dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJETTISON-3168084 - https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJETTISON-3168085 Co-authored-by: snyk-bot <[email protected]>
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJETTISON-3168084 - https://snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSJETTISON-3168085 Co-authored-by: snyk-bot <[email protected]>
* feat(jans-fido): move fidoconfig folder properties to db #9369 Signed-off-by: shekhar16 [email protected] * feat(jans-fido): added specialized exception #9369 Signed-off-by: shekhar16 [email protected] --------- Signed-off-by: shekhar16 [email protected] Co-authored-by: Yuriy Movchan <[email protected]>
Signed-off-by: Madhumita Subramaniam <[email protected]>
* feat(jans-fido2): reflect authenticator name with passkeys Signed-off-by: imran-ishaq <[email protected]> * fix(jans-fido2): handle test cases for authenticator name Signed-off-by: imran-ishaq <[email protected]> --------- Signed-off-by: imran-ishaq <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>
#9624) fix(jans-fido2): remove superGluu-related endpoints from FIDO2 Swagger and ConfigurationControllerTest Signed-off-by: imran-ishaq <[email protected]> Co-authored-by: Mohammad Abudayyeh <[email protected]>
….0-M12 to 4.0.0-M16 in /jans-scim (#9010) chore(deps): bump org.apache.maven.plugins:maven-site-plugin Bumps [org.apache.maven.plugins:maven-site-plugin](https://github.com/apache/maven-site-plugin) from 4.0.0-M12 to 4.0.0-M16. - [Commits](apache/maven-site-plugin@maven-site-plugin-4.0.0-M12...maven-site-plugin-4.0.0-M16) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-site-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jose Gonzalez <[email protected]>
Signed-off-by: shekhar16 <[email protected]>
Signed-off-by: shekhar16 <[email protected]>
…tion and assertion API calls #9248 (#9974) * feat(jans-fido2): add origin parameter in Fido2ExternalAuthenticator script for attestation and assertion API calls Signed-off-by: imran-ishaq <[email protected]> * refactor(docs): add origin parameter in Fido2ExternalAuthenticator script for attestation and assertion API calls #9248 Signed-off-by: imran-ishaq <[email protected]> * fix(jans-fido2): handle origin if http or https is missing #9248 Signed-off-by: imran-ishaq <[email protected]> --------- Signed-off-by: imran-ishaq <[email protected]>
Signed-off-by: imran-ishaq <[email protected]>
Signed-off-by: Mustafa Baser <[email protected]>
Signed-off-by: shekhar16 <[email protected]>
DryRun Security SummaryThe pull request primarily focuses on improving the configuration and management of the FIDO2 functionality within the Janssen application, including renaming and reorganizing various configuration properties, updating the handling of FIDO2 metadata, attestation, and assertion processes, and enhancing the security and maintainability of the FIDO2 implementation. Expand for full summarySummary: The code changes in this pull request are primarily focused on improving the configuration and management of the FIDO2 (Fast Identity Online) functionality within the Janssen application. The changes involve renaming and reorganizing various configuration properties, as well as updating the handling of FIDO2 metadata, attestation, and assertion processes. From an application security perspective, the changes seem to be a positive step towards enhancing the security and maintainability of the FIDO2 implementation. The renaming of properties to be more descriptive, the separation of debug/development-only features, and the improvements to the handling of sensitive data and cryptographic operations are all important security considerations. However, it's crucial to ensure that the implementation of the FIDO2 functionality, including the usage of the updated configuration properties and the processing of FIDO2 data, is thoroughly reviewed and tested to mitigate potential security vulnerabilities. Proper input validation, secure data handling, and adherence to FIDO2 best practices should be a priority. Files Changed:
Overall, the code changes in this pull request appear to be focused on improving the security, maintainability, and configurability of the FIDO2 functionality within the Janssen application. As an application security engineer, it's important to review these changes thoroughly and ensure that the implementation adheres to best practices for secure FIDO2 integration. Code AnalysisWe ran
Riskiness🟢 Risk threshold not exceeded. |
Quality Gate passed for 'jans-cli'Issues Measures |
Quality Gate passed for 'jans-core'Issues Measures |
Quality Gate passed for 'jans-config-api-parent'Issues Measures |
Quality Gate passed for 'jans-linux-setup'Issues Measures |
This PR completely revamps jans-fido2, to enable support for passkeys, and bring the server up to spec.
So far changes:
Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with
docs:
to indicate documentation changes or if the below checklist is not selected.Closes #10079,
Prev. PR #9120