feat(jans-auth-server): updated first party native authn implementation ( in backwards compatibility way) #10380

[yuriyz]

Description

Update first party native authn implementation.
It must be updated in backwards compatibilty way because it is already in use.

https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/02/

Target issue

closes #10380

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request enhances the security of the Janssen Authentication Server by implementing DPoP support, improving authorization challenge handling, strengthening token validation, and adding comprehensive audit logging to mitigate potential security risks.

Expand for full summary

Summary:

The code changes in this pull request focus on enhancing the security of the Janssen Authentication Server (JAS) application, particularly in the areas of authorization challenge handling, DPoP (Demonstration of Proof-of-Possession) implementation, and overall token management.

The key security improvements include:

1. DPoP Support: The changes introduce support for the DPoP mechanism, which helps mitigate the risk of access token theft and replay attacks by binding the access token to a specific client's public key.
2. Authorization Challenge Handling: The code updates various components to handle the authorization challenge process, which is a security mechanism used to prevent authorization code injection attacks.
3. Robust Token Validation: The changes include extensive validation of various token-related parameters, such as grant types, refresh tokens, and PKCE values, to ensure the integrity and security of the token exchange process.
4. Audit Logging: The code updates the OAuth2 audit log to provide a detailed audit trail of successful token requests, which is important for monitoring and investigating any suspicious activities.

Overall, the changes in this pull request demonstrate a strong focus on improving the security posture of the Janssen Authentication Server application by implementing industry-standard security practices and mechanisms, such as DPoP and authorization challenge handling. These enhancements help to mitigate various security risks and strengthen the overall security of the application.

Files Changed:

1. AuthorizationChallengeSessionAttributes.java: This class was updated to include a new field called jkt (JWK SHA-256 Thumbprint), which is used to store the DPoP public key thumbprint to bind the access token.
2. AuthorizationChallenge.java: The changes in this file handle the authorization challenge process, including the extraction and validation of the DPoP header and the management of the authorization challenge session.
3. DpopService.java: This class was updated to include methods for validating the DPoP JWT, including the extraction and validation of the JWK thumbprint.
4. AuthorizationChallengeEndpoint.java: The changes in this file focus on handling the authorization challenge request, including the extraction and validation of the DPoP header and the authorization challenge session.
5. AuthzRequest.java: A new dpop field was added to the AuthzRequest class, likely to support the DPoP mechanism.
6. AuthorizationChallengeSessionService.java: This class was updated to handle the creation, persistence, and retrieval of the authorization challenge session.
7. AuthorizationChallengeValidator.java: The changes in this file enhance the validation of the DPoP token and the grant type used in the authorization flow.
8. AuthorizationChallengeService.java: The changes in this file focus on handling the authorization challenge process, including the validation of the DPoP and JKT parameters.
9. AuthorizationGrant.java: The changes in this file include the addition of the authorizationChallenge attribute to the TokenEntity.
10. AbstractAuthorizationGrant.java: A new isAuthorizationChallenge flag was introduced in this class.
11. AuthorizationGrantList.java: The changes in this file include the addition of the authorizationChallenge field to the AuthorizationGrant object.
12. TokenRestWebServiceValidator.java: The changes in this file focus on the validation of request parameters, including the redirect URI and PKCE parameters.
13. TokenAttributes.java: A new authorizationChallenge property was added to the TokenAttributes class.
14. TokenRestWebServiceImpl.java: The changes in this file focus on the handling of various grant types, including the validation of parameters and the implementation of token binding.
15. TokenRestWebServiceValidatorTest.java: This file includes tests for validating the various token-related parameters and conditions during the token exchange process.

Code Analysis

We ran 9 analyzers against 15 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	4 findings

View PR in the DryRun Dashboard.