Add withClaim validation for custom claim validation #826
Comments
|
This is possible by writing custom jwt/src/Validation/Constraint.php Lines 1 to 12 in 40e92ba In addition to that:
This is literally what a cryptographic signature does:
The whole linked chapter seems very weak, in this regard :| |
|
I don't really like that OWASP page, too. It is assuming that tokens are used in a browser context, so that it is possible to add a cookie that has a string, and then make the token contain the hash of the string. What about not allowing the token to be intercepted in the first place? This whole chapter sounds like it is trying to fix a situation that already went downhill, i.e. there is no reason to believe if an attacker is able to intercept the token, it's impossible to intercept any other cookie as well. |
From a security perspective you have to mitigate risks. It's impossible to force clients (e.g. browsers) and server developers to never possibly use HTTP, which will always be exposed to man-in-the-middle attacks.
True, but it increases the complexity of the JWT defence, and therefore reduces the number of script kiddies who can execute an attack. Additionally, alternate options for fingerprinting (browser local storage, validating against an internal cache/redis lookup) can be used with this PR. I think addition of the validation of a claim is of value to the library whether or not the OWASP example is followed. The OWASP example is, I think, trying to add the concept of CSRF tokens to JWTs, which is a well-known security pattern. |
That honestly sounds a bit like "security by obfuscation". However, I still believe the constraint is useful =) |
OWASP has a list of things to improve security in JWT. One of those things regarding token sidejacking is validating custom claims against a random fingerprint. It would be great if this library provided a way to compare custom claims and values and validate the claim exists and the value is correct.
The text was updated successfully, but these errors were encountered: