Authentication Settings for Keycloak SSO based Logins

[srini.vasan]

Hi,

Software Details:

-------------------------

ZAP : 2.8.0

Jenkins: 2.204.1

Jenkins ZAP Plugin: 1.1.0

Currently I am setting up the pipeline for finding security vulnerabilities using ZAP Plugin in Jenkins. 

I came through few observations which needs to be clarified.

1. It scans only the given context site URL and the scan does not go into the sub URLs. For example, http://app.example.com.*  is given as context and the application some authentication settings. Most of backend API calls would happen after login. But the problem given login indicator and credentials are not working properly. We are getting only front end URL scans like js & css. [Refer attached zap log]
2. Consider, app.example.com -> Application URL ||  app.sso-login.com -> SSO Login Provider URL and authentication is happening through OAuth2 provided by SSO Login Provider. It happening through redirect-uri set as Application URL. After successful login, SSO would redirect to Application Dashboard page.

Please confirm whether ZAP Jenkins would support OAuth based login applications. One thing i noticed that, we could achieve this by persisting session with ZAP UI and load that sessions. But on longer run and automation perspective this won't be possible.

Regards,

Srinivasan T