The Problem
JWT tokens are extensively used for securing APIs by authentication and authorization. When an API request arrives, the useful resource server decodes and verifies the JWT token, sometimes validating the signature for authentication and checking claims or scopes for authorization. For instance, the server may use claims within the token to determine if the person can entry a specific endpoint.
Nonetheless, finer entry management is commonly wanted. As an illustration, when a request fetches a buyer’s checking account particulars, the server should make sure the person is accessing their very own account, not another person’s.
A standard method is to incorporate the person’s account info within the JWT token claims or scopes, enabling the server to confirm the account being accessed. Whereas this works, it exposes Personally Identifiable Data (PII) like account numbers within the token. This publicity violates information safety insurance policies, because the token may be publicly accessible if logged or copied from a browser, resulting in potential information breaches.
Public Nature of a JWT Token
The content material of a JWT token’s payload will not be thought of secret or non-public information. JWT tokens sometimes have JSON Internet Signature (Part 3 of RFC 7515), which is an encrypted string used to guard bits in a token from tampering. Because of this a JWT is signed quite than encrypted. A JWT token offers safety by letting the useful resource server confirm the digital signature of the origin (IDP) thereby verifying that the token was not tempered or touched by some other entity. So far as JWT specification is worried, offering safety by Encryption isn’t the intention (In all trendy methods HTTP requests are secured utilizing HTTPS which takes care of encryption of your entire request together with that of the token). Subsequently the payload of a JWT token based mostly on JWS (JSON Internet Signature) isn’t presupposed to include secrets and techniques or PII.
This is a fast refresher on the construction of a JWT token. A well-formed JWT token consists of three base64 encoded (not encrypted) strings, concatenated utilizing a dot (.) separator.
- Header (Part 4 of RFC 7515): Incorporates metadata in regards to the token together with the cryptographic algorithms used to safe its contents
- JWT Payload: Incorporates a set of safety claims which can be verifiable by the useful resource server (a useful resource server hosts the API or utility being protected) ultimately that holds which means for the system being protected. These claims may be built-in claims outlined by the JWT specification or customized claims created and configured by the IDP (issuer of the token). See Part 4 of RFC 7519.
- JWT Signature: Incorporates digital signature from IDP and is used to confirm that the token was not tampered with. Earlier than utilizing or storing a JWT token its signature should be verified.
Fixing the PII Downside in JWT
Given the problem we outlined above and the fundamental nature of a JWT token, allow us to contemplate a hypothetical instance and attempt to clear up it. Suppose a financial institution buyer is trying to fetch their checking account particulars, like account stability, transactions, and many others. In the course of the workflow, the appliance calls a backend account API which is protected utilizing JWT tokens. Allow us to additionally assume that the JWT tokens are issued by an enterprise-level IDP like Auth0. The IDP is built-in with the group’s LDAP system for id federation and acts as an authoritative supply for managing person identities and entry. When a person authenticates, the request goes to the IDP that returns a JWT token in response. The JWT token consists of an identifier for the person, and a few built-in or customized claims describing the person’s entry. Now if we wish to present entry permissions to the granularity stage of a buyer’s account, a typical however flawed method of reaching this could be to embed person’s accounts straight within the token.
Instance
This is an instance of the payload of such a token.
Base 64 Encoded Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJzY29wZXMiOlsiYWNjb3VudHM6MTIzNDUsNDM3ODksOTA4NzUiXX0.r6bCsRn7ALxedEt8BZcqVc3YErCymtYHvSpPdsAnQaE
Decoded Token
Discover that the payload consists of account numbers straight embedded into the token and facilitates comparability of the precise account from the present HTTPS request with these accounts from the token that the person is permitted to make use of. This method works so far as entry management is worried however places us in violation of PII privateness compliance as a result of the truth that a JWT token is publicly identifiable info (apart from the digital signature after all) is ignored. Briefly, the above token may find yourself introducing the next vulnerabilities in our system.
- Publicity to delicate info:
- Embedding account numbers straight exposes Personally Identifiable Data (PII). If the token is logged, intercepted, or in any other case uncovered (by way of browser for instance), delicate info may be accessed by unauthorized brokers.
- JWT tokens even when signed, may be publicly decoded. So anybody can see the embedded PII information.
- Elevated threat of token misuse:
- Logging: Tokens may be logged by purchasers, servers, or intermediate methods after decoding or earlier than encoding. Thus account numbers and different PII, if current within the token, may be inadvertently and unwittingly uncovered by way of logging.
- Token Leakage: Generally throughout debugging and vendor help, tokens are exchanged for help tickets, and many others. account numbers and different PII information can get uncovered unintentionally in such circumstances.
- Regulatory compliance:
- Information safety legal guidelines: Many jurisdictions and nations have strict information safety legal guidelines. Embedding PII information in tokens may violate legal guidelines corresponding to GDPR or CCPA, resulting in potential authorized and monetary penalties.
Suggestions
To handle the above vulnerabilities, we should observe the beneath finest practices.
- Use UUIDs or different non-PII identifiers as values of customized claims
- As a substitute of embedding account numbers, use UUID or one other identifier that may be mapped to an precise account quantity from the database by way of the useful resource server internet hosting the protected API the person is attempting to invoke.
- The essential precept is that when an account will get created in your transactional database it ought to get a UUID-like id assigned to it, which must also be synced into your IDP. The JWT token issued by the IDP then ought to include this id as an alternative of straight embedding the account quantity.
- Maintain the token payload to a minimal
- You’ll at all times find yourself hitting measurement limits for the token payload as a result of it’s a part of the HTTP request. Subsequently, together with accounts or different application-specific particulars straight within the token isn’t solely insecure but additionally rigid. What is going to you do if one in every of your clients is a corporation and has hundreds of accounts (for departments and sub-departments) with the financial institution? This may pressure you to incorporate a considerable amount of information within the token thereby bloating the http request measurement.
- Substitute direct embedding of delicate information with server-side lookup
- This suggestion extends the primary one above. If we observe the fundamental precept that we are going to at all times embrace an identifier (UUID or one thing related) as an alternative of precise information and we ensure that this identifier is synced throughout the transactional database and IDP, then we will use this identifier to fetch the accounts from the database throughout the token verification course of after the request arrives on the useful resource server. This enables us to carry out a comparability with the account(s) within the incoming request with the person’s account from the database and validate their entry permissions.
- Think about using JWE (RFC 7516), if embedding delicate information is completely needed
- Whether it is unavoidable and completely needed to incorporate delicate info in JWT then we must always make use of JWE, to make sure that solely licensed events are allowed to decrypt and entry the token payload. I consider this must be the final resort as this introduces important complexity and might also impression efficiency on account of additional encryption/decryption logic.
Conclusion
Together with application-specific PII information in JWT tokens to offer entry management at a finer stage of granularity works in precept however breaches PII information safety and introduces the chance of violating Information Safety Legal guidelines, corresponding to GDPR and CCPA. Utilizing Non-PII identifiers within the token payload and performing a server-side look-up of delicate information utilizing these identifiers, as an alternative of direct token embedding can mitigate all these dangers and on the similar time present equal entry management capabilities to the specified wonderful stage of granularity.