Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement infrastructure to verify jti claims #3749

Closed
paullatzelsperger opened this issue Dec 29, 2023 · 0 comments · Fixed by #4560 or eclipse-edc/IdentityHub#481
Closed

Implement infrastructure to verify jti claims #3749

paullatzelsperger opened this issue Dec 29, 2023 · 0 comments · Fixed by #4560 or eclipse-edc/IdentityHub#481
Assignees
@paullatzelsperger
Labels
enhancement New feature or request
Milestone
Milestone 18

Comments

@paullatzelsperger
Copy link
Member

Feature Request

Related to the refactoring of how tokens are handled in EDC (#3743) we need a way to validate jti claims. jti claims are supposed to be random strings with a good-as-zero possibility to be repeated within a reasonable amount of time.

Thus, the recipient of a JWT must record every jti claim value until at least time specified by the exp claim and reject an incoming JWT if it carries a "known" jti.

After that time, jti claims could theoretically be re-used because any prior token carrying the same jti have already expired and wouldn't be valid anyway.

Which Areas Would Be Affected?

identity services, token validation rules

Why Is the Feature Desired?

guarding against replay attacks

Solution Proposal

  1. persistent storage for jti claims: This could actually be a generic implementation, something like a TemporaryValueStorage, which records arbitrary values plus the start and end of their validity periods.
  2. both an In-Mem and a Postgres implementation
  3. an aggregate service: uses the TemporaryValueStorage to CRUD jti values
  4. a reaper thread running inside the service that cleans out expired entries from the storage
@paullatzelsperger paullatzelsperger added the enhancement New feature or request label Dec 29, 2023
@paullatzelsperger paullatzelsperger added this to the Milestone 13 milestone Dec 29, 2023
@ndr-brt ndr-brt modified the milestones: Milestone 13, Milestone 14 Jan 17, 2024
@darrylestrada97 darrylestrada97 mentioned this issue Jul 17, 2024
Closed
This was referenced Oct 18, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paullatzelsperger paullatzelsperger

Labels
enhancement New feature or request
Projects
None yet
Milestone
Milestone 18
3 participants
@ndr-brt @paullatzelsperger @mspiekermann