This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

What if token is compromised

Posted on 06-28-2021 04:59 PM
sp_9932
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi just wondering how apigee protects backend if JWT token ever gets compromised(assuming token is still not expired). How do generally we should handle those situations? 

1 3 573
Topic Labels
3 REPLIES 3

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

If you use a JWT as a Bearer token, then it is a ticket-to-ride. According to convention, systems should grant access to any party that presents that token.  In that way, the token is like cash money; if you hold the cash, then you can spend it.  You don't have to prove it's "your money".  You just hand it over and a store or seller will grant you rights based on your possession of the cash.  (a token is unlike cash money in that a token can be re-used, presumably for many different requests, while cash can be spent once. But i hope the partial analogy works for you).

The practice of using OAuth 2.0 Bearer tokens, and the exposure and risk associated to token leakage, is independent of whether you use Apigee. A leaked or compromised Bearer token... means the holder can now impersonate the original holder. So... take care not to allow your tokens to leak! That means doing the usual things:

  • don't record tokens in log files
  • don't allow them in URLs (use the header!)
  • don't expose them in the UI for operators to see unnecessarily.
  • And also, protect your system in case a token should leak: make the token lifetime short (10 minutes? 5 minutes) so that the window of exposure is smaller. 

All of this applies whether or not the token is a JWT or an opaque token. These risks happen if the token is used as a Bearer token

What if you want to protect yourself, or your system, further?  There are some approaches.

  • Bind a token to a network element. For example, use 2-way TLS, and bind the token to the fingerprint of the certificate the client presented in TLS negotiation, during the original request-for-token. In this case, the token issuer can issue the token, and remember the fingerprint (maybe even embed the fingerprint into the payload).  When the client presents the token again, asking for service, the verifier can check that the client-presented certificate is the same as that used during initial token request. This doesn't prevent leakage, but it does "bind" the token to the client-side TLS cert, which means you'd need to have leakage of both TLS key + cert as well as the token itself. This may be of benefit to you. Caveat: it works only if you can use mutual TLS for the connection (usually, that means it works only for managed clients).
  • Don't use bearer tokens.  The bearer token can be stored and re-used. An alternative approach is to use a token that is unique for each request. This might be an HMAC on the message payload, or on some digest of the message. For examples of this see Hawk, HttpSignature, or the AWS v4 cascaded HMAC signature approach. (Google Cloud uses a cascaded HMAC as well for cloud storage and I believe in other places) . The result of any of these is a unique, timestamped, expiring signature that is bound to each request.  It cannot be "leaked" because ... it's unique.  a malicious party could not reuse the signature with a different, future request.
  • use a POP token. This is similar to the TLS approach, except the key can be handled at application layer, not transport layer. To make this work, you need to have some way to insure the key the client is presenting is trustworthy. In other words a mutually trusted key dispensary.  And then the client needs to use that key.... perhaps to sign or encrypt its request (as with HttpSignature or HMAC).  Check this prior article for some details.  

 More resources

 

0 Likes

Posted on --/--/---- --:-- AM
Denis_KALITVI
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

what happens if your house key is stolen? it's bad 🙂 

it depends on your flow, who's your clients, do you take other security barriers for your API access - for example, if JWT gets stolen, but you require mTLS, the token is worthless, etc. I don't think Apigee need to provide some extra layer for specific case like this, you need to make sure tokens will not get stolen on th way

0 Likes

Posted on --/--/---- --:-- AM
API-Evangelist
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Before token issuance we presume you generally onboard the client using dynamic client registration/some kind of auto onboard process.

During the process if you can capture some metadata (cert domain name ,client ip etc) and add it to the custom variables as part of the onboard which can help you to identify the client.

1. For public client use  mTLS + validate certificate domain name & certificate revocation etc on web authentication layer

2.On payload have client do sign payload  as a Detached JWS feature(https://datatracker.ietf.org/doc/html/rfc7515#appendix-F) if possible (apigee supports https://docs.apigee.com/api-platform/reference/policies/jwt-policies-overview) & you can validate against client jwks uri where they can publish the public certs for you to validate..

or some kind of alternate via HMAC (https://docs.apigee.com/api-platform/reference/policies/hmac-policy) this requires shared key..

3. Once above two are done issue a short lived (15 min jwt/jwe - depends on preference)

4.While responding back you can even sign the response back to the client where they can validate against your jwks uri.

Take precautions before publishing api..

Good Luck.

 

 

 

0 Likes