Handle critical fields in JWT tokens #12
Assignees
Comments
This was referenced Sep 4, 2017
dividedmind
added a commit
to cyberark/conjur-rack
that referenced
this issue
Sep 19, 2017
JWT lacks a mechanism for specifying critical claims as JWS has with header 'crit' field; JWT spec suggests to ignore unrecognized claims and that is what a generic JWT library should do. However, conjur-rack is a specific application; for security reasons it's best to reject tokens which we don't totally understand, lest the requester is allowed to do what she is not in fact authorized to. If need be, this can be extended in the future with 'crit'-like mechanism for specifying optional claims. Related: cyberark/slosilo#12
|
There is no mechanism in JWT to indicate critical fields and even if there was, this verification requires application cooperation since it is application-specific; hence it's up to the consumer to examine the claims and have the final decision. Additional docstrings have been added to Slosilo methods to highlight this requirement, and a mechanism following this advice rejecting unrecognized claims has been added to |
ghost
removed
the
dividedmind
added a commit
that referenced
this issue
Sep 19, 2017
In particular it indicates some useful claims and explains that it's the caller's responsibility to verify claims this library doesn't understand. Closes #12
jvanderhoof
pushed a commit
that referenced
this issue
Oct 12, 2017
* Add support for JWT-formatted tokens See issue #10 for details * Accept pre-parsed JWT tokens in Slosilo::token_signer * Add some docstrings re JWT methods In particular it indicates some useful claims and explains that it's the caller's responsibility to verify claims this library doesn't understand. Closes #12 * Remove typ: 'JWT' header field It's optional and not really useful. Can always be provided by the client if required.
jvanderhoof
pushed a commit
to cyberark/conjur-rack
that referenced
this issue
Oct 12, 2017
* Remove Conjur::Rack::User#new_association It's not clear what was the intent behind this method, but there is no documentation and no usage as far as I can tell. * Some spec refactoring Split Authenticator and .user spec, make -fdoc more readable. * Use real Slosilo in specs While this might move the tests a bit on the unit-integration spectrum, it does make them more realistic and easier to implement. Specific things can still be mocked and stubbed as needed for test granularity. * Correctly handle JWT tokens Please refer to cyberark/slosilo#10 for details. * Add changelog entry * Apply CIDR restrictions Closes #11. * Reject tokens with unrecognized claims JWT lacks a mechanism for specifying critical claims as JWS has with header 'crit' field; JWT spec suggests to ignore unrecognized claims and that is what a generic JWT library should do. However, conjur-rack is a specific application; for security reasons it's best to reject tokens which we don't totally understand, lest the requester is allowed to do what she is not in fact authorized to. If need be, this can be extended in the future with 'crit'-like mechanism for specifying optional claims. Related: cyberark/slosilo#12
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For future extensibility, as noted in #10, consideration needs to be given to handling critical fields. #11 should not be merged into master until this is done.
The text was updated successfully, but these errors were encountered: