Replace policies endpoint with hardcoded policies, fix sandbox OAuth flow#20
Merged
Conversation
Security Gate
|
| Scanner | Status |
|---|---|
| executionplane | ✅ completed |
| executionplane | ⏱️ timed out |
🔍 32 pre-existing findings in unchanged files — not blocking this PR
These findings exist in files not touched by this PR. They are shown for awareness but do not block merging.
- HIGH
.github/workflows/build.yml:14— unpinned action reference [gha-scan] - HIGH
.github/workflows/build.yml:17— unpinned action reference [gha-scan] - HIGH
.github/workflows/build.yml:23— unpinned action reference [gha-scan] - HIGH
.github/workflows/build.yml:28— unpinned action reference [gha-scan] - HIGH
.github/workflows/publish.yml:33— code injection via template expansion [gha-scan] - HIGH
.github/workflows/publish.yml:38— code injection via template expansion [gha-scan] - HIGH
.github/workflows/publish.yml:20— unpinned action reference [gha-scan] - HIGH
.github/workflows/publish.yml:23— unpinned action reference [gha-scan] - HIGH
.github/workflows/publish.yml:29— unpinned action reference [gha-scan] - HIGH
.github/workflows/release.yml:47— code injection via template expansion [gha-scan] - HIGH
.github/workflows/release.yml:27— unpinned action reference [gha-scan] - HIGH
.github/workflows/release.yml:32— unpinned action reference [gha-scan] - HIGH
.github/workflows/release.yml:38— unpinned action reference [gha-scan] - HIGH
.github/workflows/release.yml:43— unpinned action reference [gha-scan] - HIGH
.github/workflows/release.yml:75— unpinned action reference [gha-scan] - HIGH
.github/workflows/release.yml:82— unpinned action reference [gha-scan] - HIGH
.github/workflows/release.yml:201— unpinned action reference [gha-scan] - HIGH
.github/workflows/release.yml:43— runtime artifacts potentially vulnerable to a cache poisoning attack [gha-scan] - HIGH
.github/workflows/stale-prs.yml:28— unpinned action reference [gha-scan] - MEDIUM
.github/workflows/build.yml:13— credential persistence through GitHub Actions artifacts [gha-scan] - MEDIUM
.github/workflows/build.yml:10— overly broad permissions [gha-scan] - MEDIUM
.github/workflows/publish.yml:20— credential persistence through GitHub Actions artifacts [gha-scan] - MEDIUM
.github/workflows/release.yml:26— credential persistence through GitHub Actions artifacts [gha-scan] - MEDIUM
.github/workflows/secure-pipeline-ast.yml:16— overly broad permissions [gha-scan] - MEDIUM
.github/workflows/secure-pipeline-ast.yml:17— secrets unconditionally inherited by called workflow [gha-scan] - LOW
.github/workflows/release.yml:89— code injection via template expansion [gha-scan] - LOW
.github/workflows/release.yml:201— action functionality is already included by the runner [gha-scan] - INFO
/workspace/.github/workflows/publish.yml:33— Using variable interpolation${{...}}withgithubcontext data in arun:step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code.githubcontext data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable withenv:to store the data and use the environment variable in therun:script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR". [opengrep] - INFO
/workspace/.github/workflows/release.yml:46— Using variable interpolation${{...}}withgithubcontext data in arun:step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code.githubcontext data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable withenv:to store the data and use the environment variable in therun:script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR". [opengrep] - INFO
/workspace/.github/workflows/release.yml:212— Using variable interpolation${{...}}withgithubcontext data in arun:step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code.githubcontext data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable withenv:to store the data and use the environment variable in therun:script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR". [opengrep] - INFO
/workspace/demo/src/main/AndroidManifest.xml:13— The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application's control plane. [opengrep] - INFO
/workspace/demo/src/main/AndroidManifest.xml:24— The application exports an activity. Any application on the device can launch the exported activity which may compromise the integrity of your application or its data. Ensure that any exported activities do not have privileged access to your application's control plane. [opengrep]
📊 master baseline — pre-existing findings, won't block your merge
These findings existed on the target branch before your PR was opened.
None came from your changes. None affect your Security Gate result.
This section is for reviewers assessing pre-existing risk before approving.
| Severity | Open | 7d | 30d |
|---|---|---|---|
| 🔴 Critical | 0 | 0 | — |
| 🟠 High | 19 | 0 | — |
| 🟡 Medium | 6 | 0 | — |
| 🔵 Low | 2 | 0 | — |
14d total findings: ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ (oldest → newest)
Last scanned: 2026-05-05 14:50 UTC · Dashboard ↗
6d3a1a0 · 603.6s · View Details | 🔗 Give Feedback · ℹ️ FAQ · 💬 #ask-security · 🎫 Request Support
antspriggs
force-pushed
the
fix/sandbox-oauth-flow
branch
from
ba93be9 to
177ccdb
Compare
seftena
approved these changes
May 6, 2026
…flow - Remove broken /api/public/v3/policies endpoint; replace with hardcoded Login, NIST AAL2/IAL2, and Military policies in AuthViewModel - Add LOGIN and NIST_AAL2_IAL2 scopes to IDmeScope enum - Read sandbox client ID and client_secret from local.properties via BuildConfig fields injected in demo/build.gradle.kts - Include client_secret in token exchange body (ID.me sandbox requires it even for PKCE flows — only client_secret_post/basic auth methods supported) - Include scope in token exchange request body - Fix HTTP POST body writing to use explicit byte array + Content-Length header - Remove deprecated policies() method from IDmeAuth and APIEndpoint - Remove isLoadingPolicies state and LaunchedEffect policy fetch from LoginScreen Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove the policies() code example (method no longer exists) - Add LOGIN and NIST_AAL2_IAL2 to the scopes reference table - Update demo section: replace endpoint mention with standard policies list, add local.properties setup instructions for sandbox credentials Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
antspriggs
force-pushed
the
fix/sandbox-oauth-flow
branch
from
6d3a1a0 to
35bf360
Compare
Security Gate
|
| Scanner | Status |
|---|---|
| executionplane | ❌ failed |
📊 master baseline — pre-existing findings, won't block your merge
These findings existed on the target branch before your PR was opened.
None came from your changes. None affect your Security Gate result.
This section is for reviewers assessing pre-existing risk before approving.
| Severity | Open | 7d | 30d |
|---|---|---|---|
| 🔴 Critical | 0 | 0 | — |
| 🟠 High | 19 | 0 | — |
| 🟡 Medium | 6 | 0 | — |
| 🔵 Low | 2 | 0 | — |
14d total findings: ▄▄▄▄▄▄▄▄▄▄▄▄▄▄ (oldest → newest)
Last scanned: 2026-05-05 14:50 UTC · Dashboard ↗
3af390c · 54.5s · View Details | 🔗 Give Feedback · ℹ️ FAQ · 💬 #ask-security · 🎫 Request Support
seftena
approved these changes
May 11, 2026
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
seftena
approved these changes
May 11, 2026
harrisjb
approved these changes
May 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/api/public/v3/policiesendpoint and replaces it with hardcoded standard policies (Login, NIST AAL2/IAL2, Military) in the demoAuthViewModelLOGINandNIST_AAL2_IAL2entries to theIDmeScopeenumclient_secretread fromlocal.propertiesvia aBuildConfigfield injected indemo/build.gradle.ktsclient_secretin the token exchange request — ID.me sandbox only supportsclient_secret_post/client_secret_basicauth methods, so it is required even for PKCE flowsscopeto the token exchange request bodyContent-Lengthheaderpolicies()method fromIDmeAuthandAPIEndpointisLoadingPoliciesstate and theLaunchedEffectpolicy fetch fromLoginScreenTest plan
./gradlew :demo:installDebug)🤖 Generated with Claude Code