feat(jans-auth-server): allow to use openidSubAttribute for localAccountId for pairwise identifier look up #9696

[yuriyz]

Description

feat(jans-auth-server): allow to use openidSubAttribute for localAccountId for pairwise identifier look up

Target issue

closes #9696

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The provided code changes focus on improving the handling of the OpenID Connect (OIDC) sub claim and the management of pairwise identifiers within the jans-auth-server project, enhancing the application's security and compliance with OIDC standards.

Expand for full summary

Summary:

The provided code changes are focused on improving the handling of the OpenID Connect (OIDC) sub claim and the management of pairwise identifiers within the jans-auth-server project. These changes are important for maintaining the privacy and security of user identities in the OIDC implementation.

The key changes include the addition of a new getOpenidSubValue method to determine the appropriate value for the sub claim, modifications to the existing getSub method to use the new getOpenidSubValue function, and the introduction of a new configuration parameter useOpenidSubAttributeValueForPairwiseLocalAccountId to allow using the sub attribute value as the local account ID for algorithmic pairwise lookup.

Additionally, the changes to the PairwiseIdentifierService class ensure that pairwise identifiers are properly managed, with support for both persistent and algorithmic pairwise identifiers. The use of a key and salt for algorithmic pairwise identifiers, as well as the option to use the OpenID sub attribute value, are security-conscious features that help protect user privacy.

Overall, the code changes in this pull request appear to be focused on enhancing the application's security and compliance with OIDC standards, which is a positive sign for the project's security posture.

Files Changed:

1. jans-auth-server/server/src/main/java/io/jans/as/server/service/SectorIdentifierService.java:

   • Added a new getOpenidSubValue method to determine the appropriate value for the sub claim.
   • Updated the existing getSub method to call the new getOpenidSubValue method.

2. jans-auth-server/model/src/main/java/io/jans/as/model/configuration/AppConfiguration.java:

   • Added a new configuration parameter useOpenidSubAttributeValueForPairwiseLocalAccountId to specify whether the OpenID sub attribute value should be used as the local account ID for algorithmic pairwise lookup.

3. jans-auth-server/server/src/main/java/io/jans/as/server/service/PairwiseIdentifierService.java:

   • Implemented the logic for managing persistent and algorithmic pairwise identifiers.
   • Ensured that pairwise identifiers are unique for a given user, sector identifier, and client ID (or shared across clients with the same sector identifier, if configured).
   • Utilized a key and salt for algorithmic pairwise identifiers to prevent predictability and make it harder for an attacker to guess the identifiers.
   • Provided the option to use the OpenID sub attribute value for the pairwise identifier to improve user privacy.

Code Analysis

We ran 9 analyzers against 3 files and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[sonarqubecloud]

Quality Gate passed for 'jans-cli'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonarqubecloud]

Quality Gate passed for 'jans-linux-setup'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud