This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

How to encrypt and decrypt access token in apigeex?

Posted on 08-07-2024 03:17 AM
madhavikris
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I have a requirement where access token generated using password grant type should encrypted from front end and decrypted at apigee x. Please suggest how to accomplish this @Dino Chiesa pleae suggest.

 

 

Solved Solved
1 4 995
Topic Labels
Jump to Solution
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

Before I can provide a practical answer, I'll need you to explain your requirements a little further. 

But first, some context I would like to share: An Access token is "a secret" which you do want to keep private.  But, typically OAuth tokens are "bearer tokens" , and per IETF RFC 6750, bearer tokens  are deliberately intended to be usable by any party in possession of the token.  

bearer-token.png

They specifically did not want apps or developers to have to deal with encryption or secure long term storage of the access token. For that reason the OAuth specifications made recommendations to limit the validity/expiry of bearer tokens, so that the loss or leakage of a token would result in only a limited window of vulnerability, like say, 15 minutes, after which the token expires naturally. It is unlike leakage of a password, in that respect. Basically, tokens are ephemeral.  Passwords change must less often; they are persistent.  In fact some of my passwords I haven't changed in YEARS.  That's why authentication systems must not store passwords - any leakage of a password is a serious problem.  Access tokens are different, based on their brief lifetime.

When apps follow the OAuth spec and recommendations, they encrypt tokens in transit, because the token is passed in an HTTP header, and because OAuth requires that you always use TLS  when dispensing tokens and when using tokens.  If you follow that, then there's a transport layer that auto-magically encrypts the token, so that only the receiving endpoint can decrypt it. 

ok, given all that, what are your requirements, in more detail?  What do you intend to accomplish by encrypting, at the application layer, a bearer token obtained through the password grant?  What is the real goal here?  What threat are you protecting against?  Maybe elaborate in two or three paragraphs of explanation .

Encryption is a handy digital technique for obscuring data, but really it just replaces one kind of problem (making arbitrary data "private") with another kind of problem (key management).  It is not possible to avoid the key management problem when you're talking about two parties or systems, like an App connecting to Apigee, using application-layer encryption to keep data private.   So what is your thinking around key management?  Do you think you will use  symmetric encryption via secret keys?    or or asymmetric encryption algorithms using public/private key pairs?   And what's your thinking around key generation and storage, how would that work?  

 

View solution in original post

Jump to Solution
4 REPLIES 4