Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

First Draft for JWT Best Practices Doc #1182

Draft
wants to merge 5 commits into
base: master
Choose a base branch
from
Draft

First Draft for JWT Best Practices Doc #1182

wants to merge 5 commits into from
+453 −58

Conversation

chalbersma
Copy link

  • Ignores .idea files (pycharm ide)
  • Index updated by make generate-site
  • Added assets/JWTCSA as a place for assets and snippets
  • Added a JWT Cheat Sheet Doc
  • Fixed google_analytics in mkdocs.yaml
  • Added pymdownx plugins for:
    • Admonitions (blocks.details)
    • Code Snippets (snippets)
    • Tabbed Content (tabbed)
  • Pinned modern minimum versions on requirements.txt

This PR covers issue #1176 .

Please do not merge yet. This is a work in progress at best.

@chalbersma
First Draft for JWT Best Practices Doc
4981240 
* Ignores .idea files (pycharm ide)
* Index updated by make generate-site
* Added assets/JWTCSA as a place for assets and snippets
* Added a JWT Cheat Sheet Doc
* Fixed google_analytics in mkdocs.yaml
* Added pymdownx plugins for:
	* Admonitions (`blocks.details`)
	* Code Snippets (`snippets`)
	* Tabbed Content (`tabbed`)
* Pinned modern minimum versions on requirements.txt
@chalbersma
Copy link
Author

image

How the multi language stuff ends up looking.

@szh szh marked this pull request as draft August 30, 2023 13:45
@szh
Copy link
Collaborator

szh commented Aug 30, 2023

Please do not merge yet. This is a work in progress at best

I marked this PR as a draft so nobody does by mistake.

@jmanico
Copy link
Member

jmanico commented Sep 7, 2023

I am super eager to see this fleshed out, can I help? Wanna meet and discuss?

@chalbersma
Copy link
Author

Honestly we probably should, but I'm super busy this week. I might have some time next.

chalbersma and others added 2 commits October 27, 2023 22:01
@chalbersma
Merge branch 'master' into jwt_things
6aa2eea
@chalbersma
More work on this
4dcaedf 
* Still not ready
* Taking some feedback from our attempt to implement a jwt based
  auth scheme professionally.
* Recommends jwt symmetrically signed with jwks certificates as
  it seems like it will be the best supported and offers an
  upgrade/portability path to OIDC.
@chalbersma
Copy link
Author

Slow going but was able to get a little more work on this. Have a JWKS + JWT example in python in there atm.

@EbonyAdder
Copy link
Contributor

Hello, @chalbersma , just wanted to check where things stand on this or if you would like any assistance? I am familiar with JWT security and multiple programming languages, so I would be happy to assist if it wanted.

@chalbersma
Copy link
Author

Hello @EbonyAdder

At the company I work for we were looking to adopt a JWT auth-based standard. I was going to use the lessons learned and example code from that to populate this best practices document. Unfortunately in the process of building, I think we're learning an unfortunate less for "naked" jwts authentication/authorization; that it might be best to use a "fuller" service mesh style system (think envoy) to manage these tokens and connections.

This is still on my to-do list; I've just lost confidence that the approach recommended is still what should be recommended at this time.

@jmanico
Copy link
Member

jmanico commented Apr 13, 2024
edited

Can we revisit this? Here are some of the ASVS requirements for ASVS 5.0.

V3.5 Token-based Session Management

Token-based session management includes JWT, OAuth, SAML, and API keys. Of these, API keys are known to be weak and should not be used in new code. JWTs and SAML tokens are examples of stateless session tokens. All checks noted below should be enforced by a trusted, back-end service as noted above.


#DescriptionL1L2L3CWENIST §
3.5.1[GRAMMAR] Verify that the application allows users to revoke OAuth tokens that form trust relationships with linked applications.2907.1.2
3.5.2[MOVED TO 3.1.3]
3.5.3[MODIFIED, LEVEL L2 > L1] Verify that stateless session tokens make use of a digital signature to protect against tampering and this is checked before processing it further.345
3.5.4[ADDED] Verify that stateless tokens are checked for expiration before processing them further.613
3.5.5[ADDED] Verify that only allow-listed signing algorithms are allowed for a stateless token.757
3.5.6[ADDED] Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience.287
3.5.7[ADDED] Verify that all active stateless tokens, which are being relied upon for access control decisions, are revoked when admins change the entitlements or roles of the user.613

randomstuff
randomstuff reviewed May 21, 2024
View reviewed changes
cheatsheets/JWT_Cheat_Sheet.md

## Issues

### None Hashing Algorithm
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None is not an "hashing" algorithm. It is an "authentication algorithm".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@randomstuff randomstuff randomstuff left review comments

@mackowski mackowski Awaiting requested review from mackowski mackowski is a code owner

@jmanico jmanico Awaiting requested review from jmanico jmanico is a code owner

@szh szh Awaiting requested review from szh szh is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@chalbersma @szh @jmanico @EbonyAdder @randomstuff