fix(jans-auth): #10445 modified the script and properties file

[maduvena]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

#10445

closes #10445

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request focuses on improving the FIDO2/passkey authentication functionality in the Jans Auth Server by updating terminology, simplifying user instructions, enhancing security, implementing robust error handling, and aligning with industry best practices.

Expand for full summary

Summary:

The code changes in this pull request are focused on improving the FIDO2 (Fast Identity Online) and passkey-related functionality in the Jans Auth Server application. The key changes include:

1. Updating the terminology from "FIDO2" to "passkey" to align with industry trends and provide a more inclusive and device-agnostic approach to passwordless authentication.
2. Simplifying the user-facing instructions and removing specific references to devices, making the application more user-friendly and accessible.
3. Updating script source paths to use relative paths instead of absolute paths, which can help improve the overall security of the application by reducing the risk of potential script injection attacks.
4. Implementing thorough error handling for various FIDO2/passkey-related errors, providing informative error messages to users.
5. Ensuring secure storage and management of user credentials (e.g., public keys, attestation data) used for FIDO2/passkey authentication.

From an application security perspective, these changes appear to be focused on improving the user experience and aligning the application with industry standards and best practices for FIDO2 and passkey-based authentication. However, it is essential to thoroughly review the entire FIDO2/passkey implementation, including input validation, session management, and other security-sensitive areas, to ensure the ongoing security and integrity of the application.

Files Changed:

1. jans-auth-server/server/src/main/resources/jans-auth.properties: This file contains updates to the FIDO2 and passkey-related configurations, including changes to user-facing messages, removal of Gluu-specific references, and simplification of user instructions.
2. docs/script-catalog/person_authentication/fido2-external-authenticator/Fido2ExternalAuthenticator.py: This file includes changes to the implementation of the FIDO2 authentication flow, with a focus on secure cookie management, credential persistence, and error handling.
3. jans-auth-server/server/src/main/webapp/auth/fido2/login.xhtml: The changes in this file update the script source paths for FIDO2-related JavaScript files, implement the FIDO2 authentication flow, and include error handling for various FIDO2-related scenarios.
4. jans-auth-server/server/src/main/webapp/auth/fido2/passkeys.xhtml: This file contains changes related to the FIDO2 functionality, including updates to script source paths, handling of FIDO2 credential creation and assertion, and error handling.

Code Analysis

We ran 9 analyzers against 4 files and 1 analyzer had findings. 8 analyzers had no findings.

Analyzer	Findings
Authn/Authz Analyzer	4 findings

View PR in the DryRun Dashboard.

[sonarqubecloud]

Quality Gate passed for 'jans-config-api-parent'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud