Security.Jwt icon indicating copy to clipboard operation
Security.Jwt copied to clipboard

Published 20 hours ago verified publisher icon NetDevPack

Add data protection to DatabaseJsonWebKeyStore and FileSystemStore

Open sherlock1982 opened this issue 9 months ago • 2 comments

Recently switch from DataProtectionStore to DatabaseJsonWebKeyStore and noticed that no DataProtection is present. It looks to me that mentioned stores are generally less secure than default one.

Note that for example MsalDistributedTokenCacheAdapterOptions has an option to Encrypt (default false):

        services.Configure<MsalDistributedTokenCacheAdapterOptions>(options =>
        {
            // Just for extra security here
            options.Encrypt = true;
        });

I added protection to DatabaseJsonWebKeyStore like this:

            keyModel.Property(key => key.Parameters).HasColumnName("parameters").HasConversion(
                val => Protect(val), dbVal => Unprotect(dbVal)
            );

With:

    string Protect(string val)
    {
        return dataProtector.Protect(val);
    }

    string Unprotect(string dbVal)
    {
        try
        {
            return dataProtector.Unprotect(dbVal);
        }
        catch
        {
            // Something bad but also maybe unprotected payload
            return dbVal;
        }
    }

But I think would be nice to have it in the stores out of the box.

The other option will be to add protection at a higher level for KeyMaterial but that won't work good for some scenarios. For example I'd like to store a public key separately so I can access it from other services but keep private key only to the specific service.

sherlock1982 avatar May 15 '24 13:05 sherlock1982