I am considering to use JWT. In the jwt.io example I am seeing the following information in the payload data:
"admin": true
Admin can be considered as a Role, hence my question. Is setting the role in the token payload a habitual/good practice? Given that roles can be dynamically modified, I'm quite interrogative.
The official JWT site explicitly mentions "authorization" (in contrast to "authentication") as a usecase for JWTs:
When should you use JSON Web Tokens?
Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.
That being said, from a security-perspective you should think twice whether you really want to include roles or permissions in the token.
(The text below can be understood as a more "in-depth" follow up to the rather short-kept accepted answer)
Once you created and signed the token you grant the permission until the token expires. But what if you granted admin permissions by accident? Until the token expires, somebody is now operating on your site with permissions that were assigned by mistake.
Some people might argue that the token is short-lived, but this is not a strong argument given the amount of harm a person can do in short time. Some other people advocate to maintain a separate blacklist database table for tokens, which solves the problem of invalidating tokens, but adds some kind of session-state tracking to the backend, because you now need to keep track of all current sessions that are out there – so you would then have to make a db-call to the blacklist every time a request arrives to make sure it is not blacklisted yet. One may argue that this defeats the purpose of "putting the roles into the JWT to avoid an extra db-call" in the first place, since you just traded the extra "roles db-call" for an extra "blacklist db-call".
So instead of adding authorization claims to the token, you could keep information about user roles and permissions in your auth-server's db over which you have full control at any time (e.g. to revoke a certain permission for a user). If a request arrives, you fetch the current roles from the auth-server (or wherever you store your permissions).
By the way, if you have a look at the list of public claims registered by the IANA, you will see that these claims evolve around authentication and are not dealing with what the user is allowed to do (authorization).
So in summary you can...
add roles to your JWT if (a) convenience is important to you and (b) you want to avoid extra database calls to fetch permissions and (c) do not care about small time windows in which a person has rights assigned he shouldn't have and (d) you do not care about the (slight) increase in the JWT's payload size resulting from adding the permissions.
add roles to your JWT and use a blacklist if (a) you want to prevent any time windows in which a person has rights assigned he shouldn't have and (b) accept that this comes at the cost of making a request to a blacklist for every incoming request and (c) you do not care about the (slight) increase in the JWT's payload size resulting from adding the permissions.
not add roles to your JWT and fetch them on demand if (a) you want to prevent any time windows in which a person has rights assigned he shouldn't have or (b) avoid the overhead of a blacklist or (c) avoid increasing the size of your JWT payload to increase slightly and (d) if you accept that this comes at the cost of sometimes/always querying the roles on incoming requests.
Nothing stops you from creating claims to store extra information in your token if they can be useful for your client.
However I would rely on JWT only for authentication (who the caller is). If you need to perform authorization (what the caller can do), look up the caller roles/permissions from your persistent storage to get the most updated value.
For short-lived tokens (for example, when propagating authentication and authorization in a microservices cluster), I find it useful to have the roles in the token.
As mentioned here, ASP.NET Core will automatically detect any roles mentioned in the JWT:
{
"iss": "http://www.jerriepelser.com",
"aud": "blog-readers",
"sub": "123456",
"exp": 1499863217,
"roles": ["Admin", "SuperUser"]
}
and 'map' them to ASP.NET Roles which are commonly used to secure certain parts of your application.
[Authorize(Roles = "Admin")]
public class SettingsController : Controller
The server which is giving out (and signing) the JWT is commonly called an authorization server and not just an authentication server, so it makes sense to include role information (or scope) in the JWT, even though they're not registered claims.
Related
I've read several articles (such as this and this, and this SO answer) that suggest storing refresh tokens server-side in a database, or in-memory (or an in-memory store, such as Redis). From what I understand this is so they can be revoked.
Is there a good reason for storing all tokens as these articles suggest, rather than just storing blacklisted tokens on logout? If I understand the reasons for storing tokens, surely I could achieve the same effect by storing a token id in Redis (with a TTL as long as the expiry, so that the table doesn't grow unweildy).
Are there downsides to this approach, and if so, what are they (or conversely, what are the upsides of storing all tokens, vs just a list of revoked tokens?)
To elaborate, and why I think it should be fine to have a revocation list, here's the process I am imagining:
Issue tokens out
Once revoked (say, on logout), add an entry to a blacklist for a unique id (say, public_user_id if there are many tokens for different devices) with the revocation time, and add a TTL until the token's expiry
When a token is provided for auth, when there is an existing blacklist entry:
if a valid token is used, it'll be before it's expiry and have a creation time after the blacklist entry creation time for the unique id
if an invalid token is used, it'll either be expired or within the blacklist with the unique identifier before the entry creation
Am I missing something critical in that flow that would require a list of all tokens instead?
The advantage of having a list of all issued tokens is that you can have a full view of who has been already authenticated and has currently access to the system. You can then choose to revoke some tokens from this list based on any criteria (e.g. the age of the token, the roles associated with the user of the token, the IP address ranges).
If you only have a list of revoked tokens, it would be impossible to choose at runtime, an arbitrary criteria, to revoke a subset of the valid tokens. Stated otherwise, if you don't have a list of all issued tokens, the revocation criteria cannot be enforced globally at once, but only when a token is presented to a resource server.
The only deciding factor I can think of, that will require a list of all refresh tokens is the following:
Do you / will you, at any point, need to have a functionality where you can dynamically revoke valid refresh tokens, based on some arbitrary, regulatory, legal, integrity, security etc. criteria?
If so, the least you will need is a list of all issued tokens, plus any metadata required to implement the criteria logic.
Example: "Due to regulation, I need to ban all EU users" equates to delete from refresh_tokens were user_ip in <... eu logic ...>
I would aim for a direction of technical simplicity here, since the Authorization Server (AS) should do the hard work for you. Here are some end to end notes which explain some tricky aspects and suggest a simple direction.
1. TOKEN ISSUING
The user authenticates (and optionally consents) resulting in a token 'grant'. The AS should then store refresh tokens for you, in a database table that might be named 'delegations'. Typically the stored 'token' will be a hash rather than the real value, and will be linked to the application (client_id) and user (subject). Tokens issued might have these lifetimes:
Refresh token: 4 hours
Access token: 30 minutes
2. TOKEN REFRESH
OAuth clients such as mobile apps will silently renew access tokens during the lifetime of the grant or 'user session'. This involves sending a refresh token to the AS and getting back a new access token. For this to work the AS needs to store a hash of the refresh token in order to be able to validate the input.
3. DEFAULT REMOVAL BEHAVIOUR
When a user logs out, tokens are cleared from the client app, so they are gone. Newer OAuth 2.1 recommendations are to use rotating refresh tokens, where each access token refresh also renews the refresh token and invalidates the previous one. In our example this now means that the lifetime of a stolen refresh token is likely to be reduced - perhaps to only 30 minutes.
4. MANUAL REVOCATION BY ADMINISTRATOR
If for some reason you want to explicitly deny access to a particular user and application, an administrator could use the AS database and issue a command like this, though the Admin UI may provide more visual options.
delete from delegations where client_id=[value] and subject=[value]
Whether manual revocation is likely to be manageable at a people level is questionable but it is a good capability to have, eg in security reviews.
5. REVOCATION OF REFRESH TOKENS ON LOGOUT
Of course the client can revoke its own refresh tokens on logout if required, before clearing tokens. This should also ensure that any access tokens for the same grant are rejected by the Authorization Server.
6. ACCESS TOKEN VALIDITY
Access tokens are most commonly JWTs. Revocation or logout may occur when the JWT still has 25 minutes to live. If an attacker has somehow intercepted an access token (which shouldn't usually be possible) they can continue to use it against your APIs - during this period the AS will never see the access token.
7. API GATEWAY SETUPS
In a more sophisticated setup, opaque access tokens are issued to internet clients, then sent to an API gateway, which introspects them, as in the Phantom Token Pattern. The gateway also maintains a cache of the access token result.
At the time of revocation the AS can raise a Custom Event to inform the API Gateway, which can then clear any cached access tokens for the user. This should ensure that the very next request with an access token for the revoked (or logged out) user is rejected.
SUMMARY
Unless you are dealing with a very high security domain I would aim for simplicity and follow these two principles:
Leave token storage and revocation to the Authorization Server
Keep tokens short lived so that revocation becomes less of an issue
For most client applications and UI approaches JWTs seem to be a good way to carry tokens for an OAuth based approach. This allows decoupling of a User/Auth service and the services that are actually being accessed.
Given this architecture
My question is: in the case of public APIs (ie Github or Slack) where a bearer key is generated with specific roles. How is that key authorized in a microservice architecture? Do those types of keys just require that the Auth service gets queried with every request?
Could an API gateway mitigate this? I would like to understand if a solution exists where there is minimal communication between services. Thank you!
Normally, this is solved using scopes. The scopes are permissions given to a user to do certain operations,for example there will be a scope for read a repository, another for update it, another one for delete etc..
These scopes are tied to the token and normally are requested by the user himself or added automatically depending on the user type. And the same as the authentication process, they could be included in the token itself coded as a claim in a jwt or they could be requested or checked by calling an oauth server when one operation is requested.
The advantages of include them in jwt is that there is not need to call an external server every time an operation is requested so there is a lower latency and less bandwith is required, also you remove a point of failure. Obviously if this solution is used the token must be properly signed or even encrypted to avoid possible manipulations.
However it has also drawbacks, and the most dangerous one is that the token cannot be revoked because this information cannot be included in the token and the service that check if the token is valid only can access the data contained in the token itself. Because of this, this kind of tokens are normally issued with a little expiry time so in case of the token is stolen, the validity of it will be very limited
At my company, we are building an application on top of microservices. We are struggling with deciding how to handle authorization and authentication. We are thinking of going down the path where we use OpenId Connect to authenticate the users, but when it comes to authorization, we need some advice.
Let me explain how to solution works: A user can have different roles in different departments, and the number of departments can exceed 200. In each department, the user can have multiple roles. We understand that the recommended way of handling roles is to put them in the token sent from the client to the server (JWT). But, we are worried that this will make the token payload too big. As far as I know, a browser can hold headers up to 5KB of data. In our case, this means around 50 departments with two roles (uncompressed). The pros of doing it this way are that the user is authorized and authenticated when he/she enters the microservice. The cons are, as I mentioned, the large payload in the token.
We are also looking at a different option where we keep the JWT to a minimum (userid and departmentid) and query Keycloak for the user rights on every request (maybe add some caching mechanism with a short lifespan). This approach will generate a lot of request to the authorization server.
What I'm looking for is some advice/experience of how others have solved this. I'm happy to provide more information if needed.
To make it easier for you to give your advice, here are a short description of the two choices:
1) Use JWT to handle authentication and authorization? Why?
2) Keep JWT light and make requests to the authorization server in every microservice? Why?
I'd say, two options:
Option 1
Keep the JWT light
Use OAuth2 "Authorization Code" grant type with both refresh token and access token
Cache the user rights in a centralized distributed caching system with an eviction policy like LFU
During access token renewal (which will happen periodically depending on the access token validity period), get the latest access rights of the user and refresh the cache
If access rights are not available in cache, query the Keycloak and add the entries in the cache
Thus,
Any change in rights will take the token validity period to get reflected
The performance will be better due to caching
Option 2
Same as Option 1 except that you can use change data capture (CDC) on the user privilege DB to keep the cache updated with any change in access rights.
I am working on a api server which revives requests from a mobile app. I am using JWT with ASP.Net MVC Web API 2. In this Admin gives access of various departments to mobile app users. I set these DeptIds in Claims at the time of Login. On every authorised request from app, in a custom action filter attribute I read claims to match deptId in request URL with claims. This all scenario works fine.
Now my problem is, when Admin revokes access of any particular dept from app user, how should I expire the access_token of that user so that, on Login request call, I can set new Claims. Otherwise, as Admin removes access from server but the deptId still exists in user's Claims so user still have access to that department.
One way is on every request, check in database for access but that increases overhead of server also increases response time. So I don't want to go this way.
I didn't find anything on web how to expire token in JWT. Can any one help on this?
A JWT token happens to be a kind of token that allows it to be self-contained i.e. one can validate it without consulting an external entity.
That also means that there's no external entity that will tell you that the token was revoked or expired. Expiration can only happen by some property in the JWT itself; the exp claim was standardized for that purpose: it will tell the recipient the time after which the information in it must no longer consider to be valid
Authentication and Authorization are different things.
Use JWT for Authentication but not for Authorization. I mean that using JWT you can know who the user are but don't put information about what user can do into the JWT. Check permissions for the user on the server side basing on just user's identity that you got from JWT. You may also put into JWT some information that additionally limits access rights (i.e. blacklisting; for example, social network site creates an access token for a game to access my identity and friends list but not my posts) but don't put there information that directly provides access to some features (i.e. whitelisting). In that way you can easily remove access to some features on your sever-side despite that fact that the user is already logged in with JWT.
I understand you are interested in revoking or invalidating tokens instead of expiring them.
Revoking or invalidating tokens
Unfortunately it's not possible to achieve it
without keeping the track of the tokens somewhere:
Issue a token and add it to a whitelist to keep the track of it.
When validating a token, check the whitelist and refuse the request if it is not whitelisted.
To revoke or invalidate a token, remove it from the whitelist.
This security schema require some trade-offs. Deal with it.
Performance considerations
Regarding your performance concerns: Bear in mind that premature optimization is the root of all evil. You shouldn't optimize until you have a performance problem and you have proven that the performance problem comes from the way you store your tokens.
You could start storing the tokens in the database and then consider a cache in memory, for example. But always be careful when fixing a problem that you currently don't have.
Token identifier
The jti claim should be used to store the token identifier on the token. When validating the token, ensure that it's valid by checking the value of the jti claim against the token identifiers you have on server side.
For the token identifier you could use a UUID.
I'm creating an API along with a SPA for a personal project and I'm hesitating between the following solutions to authenticate users (note: over HTTPS):
HTTP Basic Authentication (send username/password wich each request)
Token based authentication (store SHA1-ed user tokens in the database)
JSON Web Token (JWT) authentication
I don't even consider OAuth cause it seems like a real pain plus I don't need to authenticate with other apps, I'm only concerned about authenticating users.
From what I've read, JWT seems to be a growing standard. It basically holds the caller's data so everytime he makes an API request you encrypt(base64(header) + "." + base64(payload)) with your secret and you compare it with the signature provided in the last part of the token itself. It avoids having to perform DB transactions.
The problem is that if I use JWT 1) I have no possibility to manually revoke specific tokens, and most of all 2) if I change a user's permissions, the previously granted JWT will still have the old data with his old permissions which could grant/restrict him continuous access to some data as long as he doesn't get a new token with his new permissions, which is really problematic and I'm surprised I haven't seen anyone mentionning this problem yet. Moreover, 3) JWT claims to allow the server to validate access without having access to DB but I can't imagine any API request that doesn't involve the database somehow, if only to return data the user asked for. So this argument doesn't make any sense to me.
To me, my best option right now is option 2. Website will have restricted and small traffic so storing tokens in the Database seems like a small and worthwhile trade-off and allow me to do anything I want with these tokens, including managing their lifecycle and permissions. It also avoids exposing the users' credentials like in option 1, in case they use the same ones for other online services.
I just want to know if my concerns about JWT are right or if I misunderstood its functioning? Also, even if I've already read a lot about these different options, feel free to link anything that could enlight me and help me make a better choice. Thanks.
You are right and invalidating tokens before expiration time is a common JWT problem. There are several reason to consider: account deleted/blocked/suspended, password changed, permissions changed, user logged out by admin.
With JWT, you can also set a token blacklist to store tokens that were between logout & expiry time, mark expired and check it in every request. You can include only the ID (jti claim of JWT) or use the last login date and the iat claim (issued at)
Other technique to invalidate tokens when user changes their password/permissions is signing the token with a hash of those fields. If the field value changes, any previous tokens automatically fail to verify.
See https://stackoverflow.com/a/37520125/6371459
Finally, be aware that the token is signed with server private key (not encrypted)
sign(base64(header) + "." + base64(payload))