[jira] [Commented] (OFBIZ-9833) Token Based Authentication

    [ https://issues.apache.org/jira/browse/OFBIZ-9833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16649467#comment-16649467 ]

Jacques Le Roux commented on OFBIZ-9833:
----------------------------------------

While reviewing things for OFBIZ-10307, I stumbled upon the "replay attacks" point in [https://stormpath.com/blog/jwt-the-right-way]. It says:
{quote}If you worried about replay attacks, include a nonce *(jti claim)*, expiration time (exp claim), and creation time (iat claim) in the claims. These are well defined in the JWT Spec.
{quote}
We already have exp and iat claim. We could add a jti claim using something similar to what is in ExternalLoginKeysManager::getExternalLoginKey. That would works as long as the same machine/session is used. But for a feature like OFBIZ-10307 (different sessions on differents servers on different domains) we can't put the externalKey in the externalLoginKeys. We can't even store it in the source DB, since the target DB may be different. So it's impossible to validate the JWT on the target machine, the jti being unique.

What we though could do is to use a non fixed jti claim (as types for JWTManager::validateToken) for (most) cases which, unlike for OFBIZ-10307, are handled with the same session on the same machine. Also maybe a solution OFBIZ-10307  for would be to have an acces to the DB on the target machine from the source machine. Here is an interesting discussion on this subject [https://stackoverflow.com/questions/28907831/how-to-use-jti-claim-in-a-jwt]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)