Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(jans-casa): enrollment of a passkey implies the enrollment… #10473

Merged
merged 2 commits into from
Dec 20, 2024

Conversation

maduvena
Copy link
Contributor

… of all three types of authenticator - client-device, hybrid, security-key

Prepare


Description

Target issue

closes # 10470

Implementation Details

fido2-details.zul, FIDOService methods changed and refactoring


Test and Document the changes

  • Static code analysis has been run locally and issues have been fixed
  • Relevant unit and integration tests have been added/updated
  • Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

  • I confirm that there is no impact on the docs due to the code changes in this PR.

… of all three types of authenticator - client-device, hybrid, security-key
@maduvena maduvena requested a review from jgomer2001 as a code owner December 20, 2024 09:46
Copy link

dryrunsecurity bot commented Dec 20, 2024

DryRun Security Summary

The code changes enhance the security and functionality of FIDO2 authentication in the Jans Casa application by improving device classification, updating terminology to "Passkey", integrating an Attestation Service, providing better device management, refining the user interface, and implementing additional security measures.

Expand for full summary

Summary:

The provided code changes are focused on enhancing the security and functionality of the FIDO2 (Fast IDentity Online) authentication and credential management features within the Jans Casa application. The key changes include:

  1. FIDO2 Device Classification: The code now classifies registered FIDO2 devices into different types, such as Platform Authenticators, Multi-device Authenticators, and Security Keys, based on the supported transport mechanisms. This allows the application to apply appropriate security controls and policies based on the device type.

  2. Passkey Terminology: The terminology has been updated from "Security Key" to "Passkey", reflecting the industry-wide adoption of the Passkey standard, which provides a more secure alternative to traditional password-based authentication.

  3. Attestation and Verification: The code has been updated to integrate with an Attestation Service, which is responsible for handling the FIDO2 registration and verification processes. This ensures the integrity and trustworthiness of the FIDO2 authentication workflow.

  4. Device Management: The application now provides enhanced functionality for managing FIDO2 devices, including the ability to retrieve, update, and remove devices associated with a user and an application.

  5. User Interface and User Experience: The user interface and user-facing labels have been updated to provide clearer instructions and information about using FIDO2 (Passkeys) and other two-factor authentication (2FA) methods, improving the overall user experience.

  6. Security Enhancements: The changes include security-focused improvements, such as enforcing a minimum requirement of at least one 2FA credential before enabling 2FA, and providing appropriate error handling and messaging for various credential management scenarios.

Overall, the code changes appear to be focused on improving the security and usability of the FIDO2 authentication features within the Jans Casa application, aligning with industry best practices and the latest standards in passwordless authentication.

Files Changed:

  1. FidoDevice.java: Adds a new transports field and related methods to the FidoDevice class, which represents a FIDO registered credential. This change allows the application to differentiate between different types of FIDO devices based on their supported transport mechanisms.

  2. Fido2RegistrationData.java: Updates the Fido2RegistrationData class to include additional fields and flags related to the FIDO2 registration process, such as backup state, attestation data, and user verification/presence. These changes improve the security and robustness of the FIDO2 registration data handling.

  3. Fido2RegistrationEntry.java: Refactors the Fido2RegistrationEntry class, which stores information about FIDO2 registration entries. The changes do not introduce any obvious security vulnerabilities, but it's important to ensure that the class properly handles and protects the sensitive registration data.

  4. PersistenceService.java: Enhances the logging and error handling in the find() method, which retrieves data from the underlying persistence layer. This change improves the application's observability and maintainability, which can indirectly contribute to its security.

  5. PasskeysEnrollingWS.java, PasskeysExtension.java, Fido2Service.java, PasskeysViewModel.java, and fido2-detail.zul: These changes are focused on updating the FIDO2 (Passkeys) functionality, including renaming classes, removing unnecessary parameters, and improving the user interface and user experience.

  6. user.properties: Updates the user-facing labels and instructions related to FIDO2 (Passkeys) and two-factor authentication, providing clearer information and guidance to the users.

Code Analysis

We ran 9 analyzers against 10 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer Findings
Authn/Authz Analyzer 1 finding

View PR in the DryRun Dashboard.

@mo-auto mo-auto added comp-jans-casa Touching folder /jans-casa kind-bug Issue or PR is a bug in existing functionality labels Dec 20, 2024
@moabu moabu changed the title fix(jans-casa): #10470 Enrollment of a passkey implies the enrollment… fix(jans-casa): enrollment of a passkey implies the enrollment… Dec 20, 2024
@moabu moabu merged commit b0a7da3 into main Dec 20, 2024
11 checks passed
@moabu moabu deleted the issue_10470 branch December 20, 2024 12:46
Copy link

ossdhaval pushed a commit that referenced this pull request Dec 27, 2024
fix(jans-casa): #10470 Enrollment of a passkey implies the enrollment of all three types of authenticator - client-device, hybrid, security-key

Co-authored-by: Mohammad Abudayyeh <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
comp-jans-casa Touching folder /jans-casa kind-bug Issue or PR is a bug in existing functionality
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants