Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Support Super Gluu one step authentication to Fido2 server #3593 #3599

Merged
merged 37 commits into from
Jan 27, 2023
Merged

feat: Support Super Gluu one step authentication to Fido2 server #3593 #3599

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
9bfe2db
feat: Support Super Gluu one step authentication to Fido2 server #3593
yurem Jan 11, 2023
1757d90
feat: add sample request/response for one/two steps
yurem Jan 11, 2023
a91b957
feat: enrollment proxy for Super Gluu
yurem Jan 13, 2023
440fb3a
chore: allow to process Super Gluu auth request
yurem Jan 17, 2023
f177d01
feat: add super gluu authentication flow support
yurem Jan 20, 2023
e07fe82
feat: update to conform Jans
yurem Jan 20, 2023
9a7e26c
feat: update SG script and services to conform Fido2 server
yurem Jan 20, 2023
092aaf8
feat: add fido2 device registration services to jans-auth-server
yurem Jan 20, 2023
5e49be9
feat: full 2 step Super Gluu support
yurem Jan 21, 2023
7c1d641
feat: user filter to search user's devices for specifc domain
yurem Jan 21, 2023
f0e1713
fix: super_gluu_script
maduvena Jan 24, 2023
20512c4
fix: super Gluu script
maduvena Jan 24, 2023
7b9568e
feat: support one_step Super Gluu enrollment
yurem Jan 24, 2023
e44ff17
feat: clean up jans-auth-server static config
yurem Jan 24, 2023
e5ff75e
Revert "fix: super_gluu_script"
yurem Jan 24, 2023
500bdbc
Revert "fix: super Gluu script"
yurem Jan 24, 2023
5477bd1
chore: fix after conflicts
yurem Jan 24, 2023
18cf4ef
chore: fix conflicts
yurem Jan 24, 2023
2f85fea
feat: super Gluu uses applicationId isntead of applicationId domain
yurem Jan 25, 2023
f3ee28a
feat: support Super Gluu one_step authentication
yurem Jan 25, 2023
7c41d96
feat: add separate base DN for one step auth requests
yurem Jan 25, 2023
00e91a7
feat: add super Fluu config option and disable it's API by default
yurem Jan 25, 2023
e9c8632
feat: fixes in two step flow to conform katest API
yurem Jan 25, 2023
cfbedae
feat move generic attributes to base bean
yurem Jan 26, 2023
c89db25
feat: remove unused services
yurem Jan 26, 2023
48bc330
chore: review script
yurem Jan 26, 2023
0780c86
chore: code review
yurem Jan 26, 2023
75fb70a
chore: fix formatting
yurem Jan 26, 2023
bd68067
feat: add missing base fido2 branch
yurem Jan 26, 2023
00b1968
chore: code review
yurem Jan 26, 2023
52b4fdb
chore: review validators
yurem Jan 26, 2023
737d0d6
feat: move Super Gluu adaptors code to separate services
yurem Jan 26, 2023
f0e82f8
chore: optimizations
yurem Jan 26, 2023
9381e0d
chore: remove unused methods
yurem Jan 26, 2023
d9188fe
feat: remove U2F clean up jobs
yurem Jan 27, 2023
2038353
feat: more input parameters validations
yurem Jan 27, 2023
9592c0f
feat: final optimizations and fixes
yurem Jan 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
feat: more input parameters validations
  • Loading branch information
@yurem
yurem committed Jan 27, 2023
commit 20383532be10ec7db9a41d6c795d32fb982515fd
20 changes: 20 additions & 0 deletions jans-fido2/server/src/main/java/io/jans/fido2/service/persist/UserSessionIdService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@
@ApplicationScoped
public class UserSessionIdService {

public static final String AUTHENTICATED_USER = "auth_user";

@Inject
private Logger log;

Expand All @@ -39,6 +41,24 @@ public class UserSessionIdService {
@Inject
private PersistenceEntryManager persistenceEntryManager;

public boolean isValidSessionId(String sessionId, String userName) {
SessionId session = getSessionId(sessionId);
if (session == null) {
log.error("Specified session_id '{}' is invalid", sessionId);
return false;
}

if (StringHelper.isNotEmpty(userName)) {
String sessionIdUser = session.getSessionAttributes().get(AUTHENTICATED_USER);
if (!StringHelper.equalsIgnoreCase(userName, sessionIdUser)) {
log.error("Username '{}' and session_id '{}' don't match", userName, sessionId);
return false;
}
}

return true;
}

public void updateUserSessionIdOnFinishRequest(String sessionId, String userInum, Fido2RegistrationEntry registrationEntry, boolean enroll, boolean oneStep) {
SessionId entity = getSessionId(sessionId);
if (entity == null) {
Expand Down
13 changes: 13 additions & 0 deletions ...server/src/main/java/io/jans/fido2/service/sg/converter/AssertionSuperGluuController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
import io.jans.fido2.service.DataMapperService;
import io.jans.fido2.service.DigestService;
import io.jans.fido2.service.operation.AssertionService;
import io.jans.fido2.service.persist.UserSessionIdService;
import io.jans.fido2.service.sg.RawAuthenticationService;
import io.jans.fido2.service.verifier.CommonVerifiers;
import io.jans.fido2.sg.SuperGluuMode;
Expand Down Expand Up @@ -54,6 +55,9 @@ public class AssertionSuperGluuController {
@Inject
private DigestService digestService;

@Inject
private UserSessionIdService userSessionIdService;

/* Example for one_step:
* - request:
* username: null
Expand All @@ -79,6 +83,15 @@ public class AssertionSuperGluuController {
public JsonNode startAuthentication(String userName, String keyHandle, String appId, String sessionId) {
boolean oneStep = StringHelper.isEmpty(userName);

boolean valid = userSessionIdService.isValidSessionId(sessionId, userName);
if (!valid) {
throw new Fido2RuntimeException(String.format("session_id '%s' is invalid", sessionId));
}

if (StringHelper.isEmpty(userName) && StringHelper.isEmpty(keyHandle)) {
throw new Fido2RuntimeException("The request should contains either username or keyhandle");
}

ObjectNode params = dataMapperService.createObjectNode();
// Add all required parameters from request to allow process U2F request
params.put(CommonVerifiers.SUPER_GLUU_REQUEST, true);
Expand Down
13 changes: 11 additions & 2 deletions ...rver/src/main/java/io/jans/fido2/service/sg/converter/AttestationSuperGluuController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
import io.jans.fido2.service.DataMapperService;
import io.jans.fido2.service.DigestService;
import io.jans.fido2.service.operation.AttestationService;
import io.jans.fido2.service.persist.UserSessionIdService;
import io.jans.fido2.service.sg.RawRegistrationService;
import io.jans.fido2.service.verifier.CommonVerifiers;
import io.jans.fido2.sg.SuperGluuMode;
Expand Down Expand Up @@ -70,6 +71,9 @@ public class AttestationSuperGluuController {
@Inject
private DigestService digestService;

@Inject
private UserSessionIdService userSessionIdService;

@Inject
private AppConfiguration appConfiguration;

Expand All @@ -96,6 +100,11 @@ public class AttestationSuperGluuController {
public JsonNode startRegistration(String userName, String appId, String sessionId, String enrollmentCode) {
boolean oneStep = StringHelper.isEmpty(userName);

boolean valid = userSessionIdService.isValidSessionId(sessionId, userName);
if (!valid) {
throw new Fido2RuntimeException(String.format("session_id '%s' is invalid", sessionId));
}

ObjectNode params = dataMapperService.createObjectNode();
// Add all required parameters from request to allow process U2F request
params.put(CommonVerifiers.SUPER_GLUU_MODE, oneStep ? SuperGluuMode.ONE_STEP.getMode() : SuperGluuMode.TWO_STEP.getMode());
Expand All @@ -105,12 +114,12 @@ public JsonNode startRegistration(String userName, String appId, String sessionI
if (oneStep) {
useUserName = attestationService.generateUserId();
}

params.put("username", useUserName);
params.put("displayName", useUserName);

params.put("session_id", sessionId);

// Required parameters
params.put("attestation", "direct");

Expand Down