Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt JWT_TOKEN in cookie #52

Open
dniel opened this issue Mar 5, 2019 · 1 comment
Open

Encrypt JWT_TOKEN in cookie #52

dniel opened this issue Mar 5, 2019 · 1 comment
Labels
enhancement New feature or request

Comments

@dniel
Copy link
Owner

dniel commented Mar 5, 2019
edited
Loading

The JWT_TOKEN contains the user info of a user and should be protected.
It is intended to only the application that sent the client-id and client-secret and should not be passed around to other applications. To make ForwardAuth the only application able to read the session token the whole token should be encrypted. Other applications should get the needed user info from HTTP-headers set by ForwardAuth or use the User info endpoint #51

Maybe implement a feature toggle for encryption so that its easier for local development and if someone wants to use an unencrypted JWT_TOKEN anyways to pass the user profile around.
@dniel dniel added the enhancement New feature or request label Mar 5, 2019
@dniel dniel assigned dniel and unassigned dniel Mar 5, 2019
@dniel
Copy link
Owner Author

dniel commented Mar 14, 2019

See https://tools.ietf.org/html/rfc7516 for JWE specification

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dniel