janssenproject / jans Goto Github PK

An open source enterprise digital identity platform for CIAM or workforce... Janssen is a distribution of standards-based, developer friendly, components that are engineered to work together in any cloud. #OAuth #OpenID #FIDO

Home Page: https://docs.jans.io

License: Apache License 2.0

Python 11.21% Shell 0.47% Mustache 0.19% Dockerfile 0.48% Makefile 0.05% Batchfile 0.01% Java 74.39% ANTLR 0.02% Gherkin 0.69% JavaScript 2.58% HTML 6.19% CSS 0.43% FreeMarker 0.05% Ruby 0.01% Roff 0.01% Groovy 0.01% HCL 0.06% Go 2.99% Rust 0.18%

access-management api iam identity kubernetes oauth2 openid-connect security sso

jans's People

Contributors

Stargazers

Watchers

Forkers

cyberflamego duttarnab smeerkahoven ajmengistu ifourtechnolab imshakil hadialsaleh mocx vishalnvora rodrigoyanase zbrumen dmlatha2131 oliversothcott identitymethods-uwarajwaman lichebaba console-cowboy kellenmurphy abdelwahabadam rizarsyi miles170 safinwasi shekhar16 harrdou misba7 mzico mmrraju johncstokes alrogado nazaryavornytskyy uprightech baronrustamov adelino-sensedia big0one maduvena nikdavnik pks-os nynymike defenceplatform prudhvinaidukarri manojs1978 geunkim rogsan davenicoll-slalom arif-basri ddiawara kylechaukccs bluekatydid gt-khoo corriganjeff davispuh step-security-bot 0x0i0r0i atiktalip anayonkars jobrain-app identicum wlio-tom adagio256 saernz malimszen leon1227 tawaren syntrydy kdhttps djun earnhardt3rd-forks rehket moabu backend-souls offsoc sbruices

jans's Issues

Remove deprecated properties support

We need to remove support for deprecated properties. Also we need to remove ox and gluu from few properties in JSON configuration.

NGINX Helm Template not working for Kubernetes < 1.19

When using Kubernetes Cluster < 1.19, the Ingress API Version "networking.k8s.io/v1" is not available causing an error in Helm install.

Since Kubernetes Clusters >= 1.19 are not yet available in major cloud providers, I suggest Helm Templates to be lined up with a lower version of Kubernetes and use previous Ingress API Version like "networking.k8s.io/v1beta1".

See below how would "helm/charts/nginx/templates/ingress.yaml" file would be.

# License terms and conditions for Janssen Cloud Native Edition:
# https://www.apache.org/licenses/LICENSE-2.0
{{ if .Values.ingress.enabled -}}
{{- $fullName := include "nginx-ingress.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}-base
  labels:
    app: oxtrust
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/app-root: "/identity"
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/session-cookie-name: "route"
    nginx.ingress.kubernetes.io/session-cookie-hash: "sha1"
spec:
{{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
{{- end }}
  rules:
  {{- range .Values.ingress.hosts }}
    - host: {{ . | quote }}
      http:
        paths:
          - path: {{ $ingressPath }}
            pathType: Prefix
            backend:
              serviceName: oxtrust
              servicePort: 8080
  {{- end }}
---
{{ $fullName := include "nginx-ingress.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}-openid-config
  labels: 
    app: auth-server
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/openid-configuration /jans-auth/.well-known/openid-configuration$1 break;"
    nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/openid-configuration
spec:
{{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
{{- end }}
  rules:
  {{- range .Values.ingress.hosts }}
    - host: {{ . | quote }}
      http:
        paths:
          - path: /.well-known/openid-configuration
            pathType: Exact
            backend:
              serviceName: auth-server
              servicePort: 8080
  {{- end }}
---
{{ $fullName := include "nginx-ingress.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}-uma2-config
  labels: 
    app: auth-server
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/uma2-configuration /jans-auth/restv1/uma2-configuration$1 break;"
    nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/uma2-configuration
spec:
{{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
{{- end }}
  rules:
  {{- range .Values.ingress.hosts }}
    - host: {{ . | quote }}
      http:
        paths:
          - path: /.well-known/uma2-configuration
            pathType: Exact
            backend:
              serviceName: auth-server
              servicePort: 8080
  {{- end }}
---
{{ $fullName := include "nginx-ingress.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}-webfinger
  labels: 
    app: auth-server
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/webfinger /jans-auth/.well-known/webfinger$1 break;"
    nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/webfinger
spec:
{{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
{{- end }}
  rules:
  {{- range .Values.ingress.hosts }}
    - host: {{ . | quote }}
      http:
        paths:
          - path: /.well-known/webfinger
            pathType: Exact
            backend:
              serviceName: auth-server
              servicePort: 8080
  {{- end }}
---
{{ $fullName := include "nginx-ingress.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}-webdiscovery
  labels: 
    app: auth-server
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/simple-web-discovery /jans-auth/.well-known/simple-web-discovery$1 break;"
    nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/.well-known/simple-web-discovery
spec:
{{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
{{- end }}
  rules:
  {{- range .Values.ingress.hosts }}
    - host: {{ . | quote }}
      http:
        paths:
          - path: /.well-known/simple-web-discovery
            pathType: Exact
            backend:
              serviceName: auth-server
              servicePort: 8080
  {{- end }}
---
{{ $fullName := include "nginx-ingress.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}-scim-config
  labels:
    app: scim
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/scim-configuration /jans-scim/restv1/scim-configuration$1 break;"
    nginx.ingress.kubernetes.io/rewrite-target: /jans-scim/restv1/scim-configuration
spec:
{{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
{{- end }}
  rules:
  {{- range .Values.ingress.hosts }}
    - host: {{ . | quote }}
      http:
        paths:
          - path: /.well-known/scim-configuration
            pathType: Exact
            backend:
              serviceName: scim
              servicePort: 8080
  {{- end }}
---
{{ $fullName := include "nginx-ingress.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}-jans-scim
  labels:
    app: scim
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/ssl-services: "scim"
    nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504"
spec:
{{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
{{- end }}
  rules:
  {{- range .Values.ingress.hosts }}
    - host: {{ . | quote }}
      http:
        paths:
          - path: /jans-scim
            pathType: Prefix
            backend:
              serviceName: scim
              servicePort: 8080
  {{- end }}
---
{{ $fullName := include "nginx-ingress.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}-u2f-config
  labels:
    app: auth-server
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/fido-configuration /jans-auth/restv1/fido-configuration$1 break;"
    nginx.ingress.kubernetes.io/rewrite-target: /jans-auth/restv1/fido-configuration
spec:
{{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
{{- end }}
  rules:
  {{- range .Values.ingress.hosts }}
    - host: {{ . | quote }}
      http:
        paths:
          - path: /.well-known/fido-configuration
            pathType: Exact
            backend:
              serviceName: auth-server
              servicePort: 8080
  {{- end }}
---
{{ $fullName := include "nginx-ingress.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}-fido2-configuration
  labels:
    app: fido2
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    nginx.ingress.kubernetes.io/configuration-snippet: "rewrite /.well-known/fido2-configuration /jans-fido2/restv1/configuration$1 break;"
    nginx.ingress.kubernetes.io/rewrite-target: /jans-fido2/restv1/configuration
spec:
{{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
{{- end }}
  rules:
  {{- range .Values.ingress.hosts }}
    - host: {{ . | quote }}
      http:
        paths:
          - path: /.well-known/fido2-configuration
            pathType: Exact
            backend:
              serviceName: fido2
              servicePort: 8080
  {{- end }}
---
{{ $fullName := include "nginx-ingress.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}-cn
  labels: 
    app: auth-server
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/ssl-services: "auth-server"
    nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504"
spec:
{{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
{{- end }}
  rules:
  {{- range .Values.ingress.hosts }}
    - host: {{ . | quote }}
      http:
        paths:
          - path: /jans-auth
            pathType: Prefix
            backend:
              serviceName: auth-server
              servicePort: 8080
  {{- end }}
---
{{ $fullName := include "nginx-ingress.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}-stateful
  labels: 
    app: auth-server
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/ssl-services: "oxtrust"
    nginx.ingress.kubernetes.io/app-root: "/identity"
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/session-cookie-name: "route"
    nginx.ingress.kubernetes.io/session-cookie-hash: "sha1"
    nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504"
spec:
{{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
{{- end }}
  rules:
  {{- range .Values.ingress.hosts }}
    - host: {{ . | quote }}
      http:
        paths:
          - path: /identity
            pathType: Prefix
            backend:
              serviceName: oxtrust
              servicePort: 8080
          - path: /idp
            pathType: Prefix
            backend:
              serviceName: oxshibboleth
              servicePort: 8080
          - path: /passport
            pathType: Prefix
            backend:
              serviceName: oxpassport
              servicePort: 8080
  {{- end }}
---
{{ $fullName := include "nginx-ingress.fullname" . -}}
{{- $ingressPath := .Values.ingress.path -}}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: {{ $fullName }}-casa
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.org/ssl-services: "casa"
    nginx.ingress.kubernetes.io/rewrite-target: /casa
    nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout invalid_header http_500 http_502 http_503 http_504"
spec:
{{- if .Values.ingress.tls }}
  tls:
  {{- range .Values.ingress.tls }}
    - hosts:
      {{- range .hosts }}
        - {{ . | quote }}
      {{- end }}
      secretName: {{ .secretName }}
  {{- end }}
{{- end }}
  rules:
  {{- range .Values.ingress.hosts }}
    - host: {{ . | quote }}
      http:
        paths:
          - path: /casa
            pathType: Prefix
            backend:
              serviceName: casa
              servicePort: 8080
  {{- end }}
{{- end -}}

New Client Config Option: prompt=login

An admin may want to force clients to authenticate for each request. One way to accomplish this may be to just add the prompt=login request into the the authorization endpoint webservice if the client has this setting. So perhaps we can add an attribute to the client entity:

defaultPromptLogin: True

Stat : provide monthly active users statistic

Describe the issue

Goal is to provide monthly active users. Idea is to implement it with HLL help as following:

Each server should persists HLL data to persistence each 15min (or some other interval, configurable?).
Entry in persistence should be : per server and per month (means entry data has to be updated for same server and same month).
Monthly report means : HLL union for all servers/nodes for given month. If server wrote HLL data and after 5min crashed then we lost data for these 5min.

Java implementation: net.agkn.hll.

10 servers with 1000000 unique users login (total 10M) log2m=15, regwidth = 5

server0 - size: 20483bytes, cardinality: 996522
server1 - size: 20483bytes, cardinality: 998560
server2 - size: 20483bytes, cardinality: 1001721
server3 - size: 20483bytes, cardinality: 988345
server4 - size: 20483bytes, cardinality: 998151
server5 - size: 20483bytes, cardinality: 1005606
server6 - size: 20483bytes, cardinality: 993774
server7 - size: 20483bytes, cardinality: 992465
server8 - size: 20483bytes, cardinality: 988403
server9 - size: 20483bytes, cardinality: 1002353
UNION - size: 20483bytes, cardinality: 10010897

Token Strategy Enhancement Request 1 - Token Renewal

Enhancement request to research and consider renew refresh token on each use vs. single refresh token with multiple uses..(also in ref. to OBConnect project)

Unable to set Client responseType to "code id_token" - Hybrid Flow

Hi!

We are getting an error when setting a client responseTypes to "code id_token", I am assuming this is being check by CLI rather than API. See below logs.

«A list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type. Allowed values are code, token, id_token. Type: array of string seperated by _, Valid values: code, token, id_token»
responseTypes [['code', 'id_token']]: code id_token
Please enter array of code, token, id_token seperated by _,
responseTypes [['code', 'id_token']]:

NOTE: There is a typo in "seperated" word, correct form is "separated" :)

Return Client Secret in Clear

GET /clients is returning an encoded version of "clientSecret" rather than original value of "clientSecret".

According to REST principles, the output of a GET call should be usable in a subsequent PUT call, and if we do this without changing the "clientSecret", the secret gets messed up and client stop working.

fix obtaining LDAP schema

LDAP post schema is different than scheme for scope, needs to be resolved

How to bootstrap the first client to call the config-api

As the jans-config-api is protected by default, on install, calls to the API return 401 - Unauthorized

How do you configure the auth-server, client and client creds that the config API's relies on for authorization.

Add options to deploy ingress per service in helm charts

Instead of storing new metrics snapshot entry metric service should update previous one

During update we need to keep start time. If end_time-start_time is greater than specified period instead of entry update it should add new one.

This approach should educe number of snapshot entries

jans-client-api project setup

Add methods to dynamic client registration script to modify POST and PUT responses

Describe the issue

Add methods to dynamic registration script to modify POST and PUT responses

Related: GluuFederation/oxAuth#1488
Support: 9002

Failed to reload configuration from DB

On jansRevision update applicaiton thows exception on configuration reload attempt

Update CB index names to conform new schema

We need to review and update this file: https://github.com/JanssenProject/jans-setup/blob/master/static/couchbase/index.json

Changes not reflected immediately in OpenID Configuration well-known endpoint

Hi! We are applying a change to a Scope resource - from "showInConfigurationEndpoint": true to "showInConfigurationEndpoint": false - but, after change has been posted, if we navigate to well-known endpoint we can still see scope in list.

Is behaviour caused by "discoveryCacheLifetimeInMinutes" parameter?

Issue bootstrapping Config API

In a clean CN install, we are getting an error bootstrapping config-api.

ERROR [io.qu.ru.Application] (main) Failed to start application (with profile prod): javax.ws.rs.WebApplicationException: Multiple UMA Scope with same name - https://jans.io/oauth/config/acrs.readonly
        at io.jans.configapi.auth.UmaResourceProtectionService.createScopeIfNeeded(UmaResourceProtectionService.java:104)
        at io.jans.configapi.auth.UmaResourceProtectionService.verifyResources(UmaResourceProtectionService.java:76)
        at io.jans.configapi.auth.UmaResourceProtectionService_ClientProxy.verifyResources(UmaResourceProtectionService_ClientProxy.zig:186)
        at io.jans.configapi.configuration.ConfigurationFactory.createAuthorizationService(ConfigurationFactory.java:300)
        at io.jans.configapi.configuration.ConfigurationFactory.create(ConfigurationFactory.java:158)
        at io.jans.configapi.configuration.ConfigurationFactory_ClientProxy.create(ConfigurationFactory_ClientProxy.zig:329)
        at io.jans.configapi.ConfigApiApplication.onStart(ConfigApiApplication.java:52)
        at io.jans.configapi.ConfigApiApplication_Observer_onStart_fd71b5e0b207b7d1ef838b94eaeff75e52b8f463.notify(ConfigApiApplication_Observer_onStart_fd71b5e0b207b7d1ef838b94eaeff75e52b8f463.zig:147)
        at io.quarkus.arc.impl.EventImpl$Notifier.notifyObservers(EventImpl.java:282)
        at io.quarkus.arc.impl.EventImpl$Notifier.notify(EventImpl.java:267)
        at io.quarkus.arc.impl.EventImpl.fire(EventImpl.java:69)
        at io.quarkus.arc.runtime.LifecycleEventRunner.fireStartupEvent(LifecycleEventRunner.java:23)
        at io.quarkus.arc.runtime.ArcRecorder.handleLifecycleEvents(ArcRecorder.java:60)
        at io.quarkus.deployment.steps.LifecycleEventsBuildStep$startupEvent-858218658.deploy_0(LifecycleEventsBuildStep$startupEvent-858218658.zig:81)
        at io.quarkus.deployment.steps.LifecycleEventsBuildStep$startupEvent-858218658.deploy(LifecycleEventsBuildStep$startupEvent-858218658.zig:40)
        at io.quarkus.runner.ApplicationImpl.doStart(ApplicationImpl.zig:631)
        at io.quarkus.runtime.Application.start(Application.java:90)
        at io.quarkus.runtime.ApplicationLifecycleManager.run(ApplicationLifecycleManager.java:95)
        at io.quarkus.runtime.Quarkus.run(Quarkus.java:62)
        at io.quarkus.runtime.Quarkus.run(Quarkus.java:38)
        at io.quarkus.runtime.Quarkus.run(Quarkus.java:104)
        at io.jans.configapi.MainApp.main(MainApp.java:19)

NOTE: This didn't happened with 1.0.0_a2

Security report

Severity	Package	Version	Fix Version	Type	Location
Medium	hibernate-validator	6.1.5.Final	unkown	java-archive	/opt/client-api/lib/jans-client-api-server.jar
High	snakeyaml	1.24	unknown	java-archive	/opt/client-api/lib/jans-client-api-server.jar
Medium	okhttp	3.6.0	unknown	java-archive	/opt/client-api/lib/jans-client-api-server.jar

Unnecessary seed data

Is your feature request related to a problem? Please describe.
After Jans Cloud Native install I find some seed data which is not required, like oxTtrust Client Id or even seed Admin user.

Describe the solution you'd like
Relocate creation of seed data to services that need it, like Client Id and Admin user should be created by oxTrust when installed.

Additional context
NOTE: The Auth Server should not require a admin user as it could be exclusively used in a machine-to-machine scenario.

Issue obtaining all clients

There is a problem obtaining all OpenID Clients via CLI.
NOTE: Issue doesn't happen when we call Config REST API directly.

Calling Api with parameters: {'limit': 50}
Please wait while retreiving data ...

Getting access token for scope https://jans.io/oauth/config/openid/clients.readonly
Traceback (most recent call last):
  File "./jca-cli.py", line 1324, in <module>
    cliObject.runApp()
  File "./jca-cli.py", line 1317, in runApp
    self.display_menu(self.menu)
  File "./jca-cli.py", line 990, in display_menu
    self.display_menu(menu.get_child(int(selection) -1))
  File "./jca-cli.py", line 994, in display_menu
    getattr(self, 'process_' + m.method)(m)
  File "./jca-cli.py", line 622, in process_get
    self.display_menu(endpoint.parent)
  File "./jca-cli.py", line 994, in display_menu
    getattr(self, 'process_' + m.method)(m)
  File "./jca-cli.py", line 622, in process_get
    self.display_menu(endpoint.parent)
  File "./jca-cli.py", line 994, in display_menu
    getattr(self, 'process_' + m.method)(m)
  File "./jca-cli.py", line 622, in process_get
    self.display_menu(endpoint.parent)
  File "./jca-cli.py", line 988, in display_menu
    self.display_menu(menu.parent)
  File "./jca-cli.py", line 990, in display_menu
    self.display_menu(menu.get_child(int(selection) -1))
  File "./jca-cli.py", line 994, in display_menu
    getattr(self, 'process_' + m.method)(m)
  File "./jca-cli.py", line 593, in process_get
    api_response = api_caller(**parameters)
  File "/home/ec2-user/jans-cli/swagger_client/api/o_auth___open_id_connect___clients_api.py", line 150, in get_oauth_openid_clients
    (data) = self.get_oauth_openid_clients_with_http_info(**kwargs)  # noqa: E501
  File "/home/ec2-user/jans-cli/swagger_client/api/o_auth___open_id_connect___clients_api.py", line 223, in get_oauth_openid_clients_with_http_info
    collection_formats=collection_formats)
  File "/home/ec2-user/jans-cli/swagger_client/api_client.py", line 321, in call_api
    _preload_content, _request_timeout)
  File "/home/ec2-user/jans-cli/swagger_client/api_client.py", line 160, in __call_api
    return_data = self.deserialize(response_data, response_type)
  File "/home/ec2-user/jans-cli/swagger_client/api_client.py", line 232, in deserialize
    return self.__deserialize(data, response_type)
  File "/home/ec2-user/jans-cli/swagger_client/api_client.py", line 249, in __deserialize
    for sub_data in data]
  File "/home/ec2-user/jans-cli/swagger_client/api_client.py", line 249, in <listcomp>
    for sub_data in data]
  File "/home/ec2-user/jans-cli/swagger_client/api_client.py", line 271, in __deserialize
    return self.__deserialize_model(data, klass)
  File "/home/ec2-user/jans-cli/swagger_client/api_client.py", line 616, in __deserialize_model
    instance = klass(**kwargs)
  File "/home/ec2-user/jans-cli/swagger_client/models/client.py", line 269, in __init__
    self.client_name = client_name
  File "/home/ec2-user/jans-cli/swagger_client/models/client.py", line 731, in client_name
    raise ValueError("Invalid value for `client_name`, must not be `None`")  # noqa: E501
ValueError: Invalid value for `client_name`, must not be `None`

Rename configuration properties persistIdTokenInLdap->persistIdTokenInDatabase, persistRefreshTokenInLdap->persistRefreshTokenInDatabase

Describe the issue

Rename

"persistIdTokenInLdap": false,
 "persistRefreshTokenInLdap": true

 "persistIdTokenInDatabase": false,
  "persistRefreshTokenInDatabase": true,

Web Authentication: An API for accessing Public Key Credentials Level 2

https://www.w3.org/TR/2020/CR-webauthn-2-20201222/

Level 2 adds an Apple attestation, some management features, enterprise attestation, and does some clean-up

Allow to inject protocol and address of OP from env. var. provided by CN

protocol://op-address

It should be configurable and allow to switch off such injection.

Modify oxd-spring, oxd-java-sample and python client script to test jans-client-api

Modify oxd-spring, oxd-java-sample and python client script to test jans-client-api.

https://github.com/GluuFederation/oxd-spring
https://github.com/GluuFederation/oxd-java-sample
https://www.gluu.org/docs/oxd/tutorials/python/

Stat : provide token counter - per token type and per grant type

Describe the issue

Stat : provide token counter - per token type and per grant type.

Each server can maintain counter as in MAU case and then sum it for month. Ref:

https://github.com/JanssenProject/jans-auth-server/issues/17

Example

- client_credential:
  access_token - 100
  id_token - 10
  refresh_token - 9
- authorization_code:
  access_token - 100
  id_token - 10
  refresh_token - 9
- password:
  access_token - 10
  id_token - 1
  refresh_token - 1
- uma:
  rpt - 100

Replace removed JDK 11 internal API with another methods

In Corretto jdk 11 there is no sun.security.pkcs11.SunPKCS11 anymore. As result we need to replace this api with another methods to get Jans Eleven working

startdemo fails to detect ip

Add support for enabling SCIM testmode

The action will trigger a creation of a client and secret by the config job upon new installations. Also the persistence job is effected by this flag.

Deprecate javax.mail dependecy

We need to replace deprecated javax.mail library with another supported library

Support install two janssen servers in one cluster

Cluster level resources should be prefixed with release name.

Create scim-api client for jca-cli

Create openID client for jca-cli supporting scim. And also configure jca-cli for multimode

Introduce revoke interception script

Describe the issue

Introduce revoke interception script. With revoke interception script it will be possible to inject custom logic (especially with invalidateSessionCookiesAfterAuthorizationFlow conjunction).

Support: 9103

Token Strategy Enhancement Request 2 - Refresh Token TTL

Enhancement request to consider refresh tokens for X days and new issued refresh tokens will always keep that fixed TTL as exp. date vs. moving TTL window, where each refresh token allows an extra X days from token issuance...(in ref. to OBConnect project).

Configure client to add user claims to an access token.

We can add user claims to an access token using an interception script. Can we make this configurable per client automatically?

We could add a client attributes, something like customUserATClaims and with a JSON array of the claims. See also jans-auth-server-64

Re-design oxd Connect part to work inside user-agent instead of as backchannel app.

Refer : GluuFederation/oxd#462

Support test profiles

Now in test properties we have to hardcode server URL. We need to add profiles support which we have already in Jans Auth, Jans Scim, etc..

SCIM APIs not protected by default

Describe the bug
When SCIM is used, SCIM APIs are not protected by default allowing anyone to create, update, delete Users.

To Reproduce
Steps to reproduce the behavior:

Install Jans
Execute GET call to https:///jans-scim/restv1/v2/Users

Expected behavior
I would expect access to SCIM API access to be protected by default similar to Config API.

Implement FF4J: Feature Flags for Java

Feature Toggle is the capability for an application, a system or a product to enable and/or disable features through configuration (files, databases,…) and possibly at runtime. FF4J, stands as Feature Flipping for Java, is an implementation of this pattern for the Java platform.

https://ff4j.github.io/

User Management via SCIM

It would be a nice feature to add user management to the CLI. For example, add / edit / delete a user. Also, view / delete FIDO devices for a person.

Improve backchannel logout : gather status of each backchannel logout response into EndSessionContext

Describe the issue

Looking at EndSessionUtils.java, it appears that the response status (sucess or fail) from the RP is just silently logged, but otherwise ignored.

We can capturing the success/failure result of each backchannel logout request in the EndSessionContext object that is made available to end_session interception scripts. This would allow us to display a page that warns users that not all of their RP sessions were successfully logged-out.

Support: 9081

Unable to add introspection custom script to jans

I am trying to add an Introspection Custom Script. The following are the input I have given during the attempt to add the custom script. The last of the following text has the error I got.

«Type: string»
dn: 2DAF-BA92,ou=scripts,o=jans

«XRI i-number. Identifier to uniquely identify the script. Type: string»
inum: 2DAF-BA92

«Name should contain only letters, digits and underscores. Type: string»
name: FIRST_TEST_ADD

«List of possible alias for the script. Type: array of string separated by _,»
aliases: ONE_TWO_THREE

«Details describing the script. Type: string»
description: FIRST CUSTOM SCRIPT ADD JANS-CLI

«Actual script. Type: string»
import String\n\nclass Introspection(IntrospectionType):\n def init(self, currentTimeMillis):\n self.currentTimeMillis = currentTimeMillis\n\n def init(self, customScript, configurationAttributes):\n print "Introspection script. Initializing ..."\n print "Introspection script. Initialized successfully"\n\n return True\n\n def destroy(self, configurationAttributes):\n print "Introspection script. Destroying ..."\n print "Introspection script. Destroyed successfully"\n return True\n\n def getApiVersion(self):\n return 11\n\n # Returns boolean, true - apply introspection method, false - ignore it.\n # This method is called after introspection response is ready. This method can modify introspection response.\n # Note :\n # responseAsJsonObject - is org.codehaus.jettison.json.JSONObject, you can use any method to manipulate json\n # context is reference of io.jans.as.service.external.context.ExternalIntrospectionContext (in https://github.com/JanssenFederation/oxauth project, )\n def modifyResponse(self, responseAsJsonObject, context):\n responseAsJsonObject.accumulate("key_from_script", "value_from_script")\n return True\n\n

«Type of script. Type: string»
scriptType: INTROSPECTION

«Programming language of the custom script. Type: string»
programmingLanguage: PYTHON
Traceback (most recent call last):
File "/opt/jans/jans-cli/config-cli.py", line 1423, in
cliObject.runApp()
File "/opt/jans/jans-cli/config-cli.py", line 1416, in runApp
self.display_menu(self.menu)
File "/opt/jans/jans-cli/config-cli.py", line 1076, in display_menu
self.display_menu(menu.get_child(int(selection) -1))
File "/opt/jans/jans-cli/config-cli.py", line 1079, in display_menu
getattr(self, 'process_' + m.method)(m)
File "/opt/jans/jans-cli/config-cli.py", line 863, in process_post
model = self.get_input_for_schema_(schema, model_class)
File "/opt/jans/jans-cli/config-cli.py", line 782, in get_input_for_schema_
for cur_data in cur_model_data:

Support for Hypermedia Authentication

This is a better approach for authentication of non-web applications. See https://travisspencer.com/articles/hypermedia-api-resources/

Depends on :

DPoP

JCA Client Id seed data make Jans CLI fail

When in Cloud Native version, the JCA Client Id created in config-api makes Jans CLI fail because "clientName" is not set and it's a required attribute in Config API schema.

This issue is related with https://github.com/JanssenProject/jans-cli/issues/2

SCIM APIs not protected by default

Describe the bug
When SCIM is used, SCIM APIs are not protected by default allowing anyone to create, update, delete Users.

To Reproduce
Steps to reproduce the behavior:

Install Jans
Execute GET call to https:///jans-scim/restv1/v2/Users

Expected behavior
I would expect access to SCIM API access to be protected by default similar to Config API.

New Client Config: Force Request Object

The admin may want to make a policy that forces the client to use a signed request object instead of using parameters. We may also want to force using requestObjectURI.

OpenDJ memory issue after CE install

After CE installation OpenDJ throws OutOfMemory errors. But the issue disappears after OpenDJ service restart.

Steps to reproduce:

Run DeployServer jenkins job
After finishing installation run jans-auth-server and jans-scimbuild with tests
As result more than half of the tests should fail.

Theoretical background

In CE we start OpenDJ before all other services. As result it calculates that it can use more than 70% allowed memory. After starting all other services the memory conditions for OpenDJ will be changed. This means that it can't allocate 70% anymore for buffers if needed. Restart resolves this issue because we already start all services and now it can realistically determine allowed memory for buffers.

How to fix

We need to use java options to limit OpenDJ memory usage by limit calculated during install. We also need do specify in console that OpenDJ will use XYZ MB. Also we need to update documentation to allow change this limit if needed.

Support for Hybrid Flow response type

According to Config API specification, responseTypes | [A list of the OAuth 2.0 response_type values that the Client is declaring that it will restrict itself to using. If omitted, the default is that the Client will use only the code Response Type. Allowed values are code, token, id_token.stringEnum:[ code, token, id_token ]

Since only allowed values are are code, token, id_token.stringEnum:[ code, token, id_token ], there is no way to set up a client with "code id_token" to enable hybrid flow.

janssenproject / jans Goto Github PK

jans's People

Contributors

Stargazers

Watchers

Forkers

jans's Issues

Describe the issue

Describe the issue

Describe the issue

Describe the issue

Describe the issue

Describe the issue

Steps to reproduce:

Theoretical background

How to fix

Recommend Projects

Recommend Topics

Recommend Org