fix(jans-auth-server): new jans server installation show null in place of client_name #9415

[yuriyz]

Description

fix(jans-auth-server): new jans server installation show null in place of client_name

Target issue

closes #9415

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Tested manually

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the user experience and client representation during the authorization flow in the Jans Auth Server application, with changes to the AuthorizeAction class and the authorize-extended-template.xhtml file, while emphasizing the importance of reviewing the entire codebase to ensure secure implementation of authorization-related functionality and proper sanitization and validation of the client display name to prevent potential security vulnerabilities.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the user experience and client representation during the authorization flow in the Jans Auth Server application. The key changes include the addition of the getClientDisplayName() method in the AuthorizeAction class, which retrieves the client's display name or ID if the name is not available, and a UI-level change in the authorize-extended-template.xhtml file to display a more user-friendly client name.

From an application security perspective, the changes do not introduce any major security concerns. However, it is essential to review the entire codebase and ensure that all authorization-related functionality is implemented securely, including proper validation of input parameters, secure handling of session management, careful management of sensitive information, robust error handling and logging, and regular security audits and penetration testing. Additionally, the client display name should be properly sanitized and validated to prevent potential Cross-Site Scripting (XSS) vulnerabilities.

Files Changed:

1. jans-auth-server/server/src/main/java/io/jans/as/server/authorize/ws/rs/AuthorizeAction.java:

   • The changes include the addition of the getClientDisplayName() method, which retrieves the client's display name or ID if the name is not available. This helps to provide a user-friendly representation of the client in the authorization flow.
   • From a security perspective, the changes do not introduce any major security concerns, but it's important to review the entire codebase and ensure that all authorization-related functionality is implemented securely.

2. jans-auth-server/server/src/main/webapp/WEB-INF/incl/layout/authorize-extended-template.xhtml:

   • The changes replace the previous logic, which used client.getClientName() or client.getClientId() to display the client name, with a new property authorizeAction.clientDisplayName.
   • While this change is not immediately concerning from a security perspective, it's important to ensure that the authorizeAction.clientDisplayName property is properly sanitized and validated to prevent potential Cross-Site Scripting (XSS) vulnerabilities.

Code Analysis

We ran 9 analyzers against 2 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	1 finding

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[yuriyz]

[sonarcloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud