Open Closed

JSON web token observation #1457


0
Repunjay created

Creating a new ticket to share more details as I cannot update the existing ticket - https://support.abp.io/QA/Questions/1352/Identity-server-token

As part of web application assessment, there was an observation reported about JWT tokens.

The JSON web token (JWT) for your web application was not encrypted, allowing the data within it to be inspected with trivial effort. This revealed the email (username) and expiration date of the token.

Recommendation is to either -

  1. Remove sensitive data from the payload if it is not required - Not sure if this is possible and application will work
  2. Instead of placing sensitive data in the payload, use an indirect object reference which is resolved on the server side - Not sure if this is possible and application will work
  3. Encrypt the JWT payload using the JSON web encryption (JWE) scheme
  4. Encrypt sensitive data within the JWT payload using a custom process.

I understand that this is not related to the framework and it is the subject of Identity Server but we don't have much control over it as the Identity server is integrated within the framwework itself. Can you guide us to remediate this issue based on recommendations mentioned above. Need to know what changes will be required in existing application code to handle it.

Thanks


1 Answer(s)
  • 0
    maliming created
    Support Team
    1. Remove sensitive data from the payload if it is not required - Not sure if this is possible and application will work
    2. Instead of placing sensitive data in the payload, use an indirect object reference which is resolved on the server side - Not sure if this is possible and application will work

    You can remove some claims from the Factory.

    https://github.com/abpframework/abp/blob/dev/modules/identityserver/src/Volo.Abp.IdentityServer.Domain/Volo/Abp/IdentityServer/AspNetIdentity/AbpUserClaimsFactory.cs https://github.com/abpframework/abp/blob/dev/modules/identity/src/Volo.Abp.Identity.Domain/Volo/Abp/Identity/AbpUserClaimsPrincipalFactory.cs https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory

    3.Encrypt the JWT payload using the JSON web encryption (JWE) scheme 4.Encrypt sensitive data within the JWT payload using a custom process.

    I found some discuss about this.

    https://github.com/DureSameen/IdentityServer4.JWE