-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Token Claims #7
Comments
Client ID in DID.appJust to confirm, do you mean the As much as possible I am trying to follow the OpenID spec https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation point 3 User Email,What would be the value of not including it to a site implementing DID? The email is verifiedI don't quite understand your suggestion here, sorry. JWE Instead of JWSThe OpenID standard does include the option for supporting encryption, it's something we would add. For now we are trying to validate the user flow for end users and developers integrating DID at the moment so it's not a top priority. |
Client ID in DID.app
Yes
So at least you could hash it, then I would do the same in my backend, and I would know that it's the client_id I expect, thus not revealing it to the world. User Email,
Client privacy, data protection, preventing client emails collection just by collecting them from networks attacks or even more usual from logs. Developers forgot how often Logs can be the source of a Data Breach. Logs contain too much valuable data, that lots of us don't even realize. Remember GDPR fines are huge, therefore anything we can do to reduce exposure of Personal Identifiable Information(PII) we must do, otherwise GDPR in a data breach will take it as you have not done enough to protect the user data. It's a common mistaken across the developer community to include more data then it should in normal JWS tokens. You just need to include a The email is verified
No problem. I also made the assumption you where using secrets, when it's using a public key to verify them.
Oh I see, that defeats the solution that I was proposing, because they are public available, while if the JWS was signed with a secret, it would be only known by the DID backend and the client backend, therefore allowing for JWS tokens to not reveal to the outside world if they represent a valid authentication or an invalid one. JWE Instead of JWS
As I mention PII information needs to be kept private all the time, and in my opinion JWE should be the only option available when PII data is included in a token, despite what any standard may say, because standards are always lagging years behind the needs of the real world. Bear in mind that I am not saying that standards are not good or should not be followed, by the contrary, but sometimes you have to upgrade them on your own when it makes sense, like in PII data protection. |
On the subject of emails being in the token claim, I think there are different use cases. I'd like the user to have the option of logging in anonymously or not. If not, then my website can examine the email address and decide whether they have specific privileges. If anonymous, then they may have limited access to my website, perhaps only with the ability to save data/preferences in local storage. The above assumes that the email address is reliable, which for me means that it has been verified (by DID) in the past, say, 7 days. Like mobile phone numbers, email addresses can be recycled. Or when someone leaves a company they can be terminated, and I don't want that person to have access. -- As an alternative to JWT, JWS and JWE, I've been looking at PASETO, which was "developed as a simpler, more secure alternative to JWTs". |
I am giving a try to DID and I like the concept as a whole, but I have some remarks that I would like to mention.
Token Claims
On a success login we get this Token Claims:
Why are you leaking the following?
Client ID in DID.app
In my opinion this could not be revealed, but do you have a reason to have it in the claims?
User Email
This is the type of data that can be retrieved by using the
sub
claim to query the DID backend.I understand that may be convenient, but at least I would like that this value would not be there by default. Maybe an option to not include it in the DID Dashboard?
The email is verified
You can achieve the same by signing the token with an invalid
CLIENT_SECRET
, thus when the backend is not able to verify the token signature it knows the token is invalid. This means that the email is not indeed verified or that the token was tampered with.But if you want to keep the current flow of letting the backend know that the email is indeed not verified, then you can sign the token with the
CLIENT_INVALID_SECRET
.With this approach you don't reveal to an attacker introspecting the claims If the token represents a valid user or not.
JWE Instead of JWS
Currently signed tokens(JWS) are being used, that leave the claims publicly exposed, and an alternative would be to use encrypted tokens(JWE), did you though about using JWE?
The text was updated successfully, but these errors were encountered: