CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard
verified publisher icon OWASP

First Draft for JWT Best Practices Doc

Open chalbersma opened this issue 2 years ago • 11 comments

  • Ignores .idea files (pycharm ide)
  • Index updated by make generate-site
  • Added assets/JWTCSA as a place for assets and snippets
  • Added a JWT Cheat Sheet Doc
  • Fixed google_analytics in mkdocs.yaml
  • Added pymdownx plugins for:
    • Admonitions (blocks.details)
    • Code Snippets (snippets)
    • Tabbed Content (tabbed)
  • Pinned modern minimum versions on requirements.txt

This PR covers issue #1176 .

Please do not merge yet. This is a work in progress at best.

chalbersma avatar Aug 11 '23 21:08 chalbersma

image

How the multi language stuff ends up looking.

chalbersma avatar Aug 11 '23 21:08 chalbersma

Please do not merge yet. This is a work in progress at best

I marked this PR as a draft so nobody does by mistake.

szh avatar Aug 30 '23 13:08 szh

I am super eager to see this fleshed out, can I help? Wanna meet and discuss?

jmanico avatar Sep 07 '23 16:09 jmanico

Honestly we probably should, but I'm super busy this week. I might have some time next.

chalbersma avatar Sep 08 '23 05:09 chalbersma

Slow going but was able to get a little more work on this. Have a JWKS + JWT example in python in there atm.

chalbersma avatar Oct 28 '23 07:10 chalbersma

Hello, @chalbersma , just wanted to check where things stand on this or if you would like any assistance? I am familiar with JWT security and multiple programming languages, so I would be happy to assist if it wanted.

EbonyAdder avatar Nov 25 '23 15:11 EbonyAdder

Hello @EbonyAdder

At the company I work for we were looking to adopt a JWT auth-based standard. I was going to use the lessons learned and example code from that to populate this best practices document. Unfortunately in the process of building, I think we're learning an unfortunate less for "naked" jwts authentication/authorization; that it might be best to use a "fuller" service mesh style system (think envoy) to manage these tokens and connections.

This is still on my to-do list; I've just lost confidence that the approach recommended is still what should be recommended at this time.

chalbersma avatar Nov 29 '23 16:11 chalbersma

Can we revisit this? Here are some of the ASVS requirements for ASVS 5.0.

V3.5 Token-based Session Management

Token-based session management includes JWT, OAuth, SAML, and API keys. Of these, API keys are known to be weak and should not be used in new code. JWTs and SAML tokens are examples of stateless session tokens. All checks noted below should be enforced by a trusted, back-end service as noted above.


#DescriptionL1L2L3CWENIST §
3.5.1[GRAMMAR] Verify that the application allows users to revoke OAuth tokens that form trust relationships with linked applications.2907.1.2
3.5.2[MOVED TO 3.1.3]
3.5.3[MODIFIED, LEVEL L2 > L1] Verify that stateless session tokens make use of a digital signature to protect against tampering and this is checked before processing it further.345
3.5.4[ADDED] Verify that stateless tokens are checked for expiration before processing them further.613
3.5.5[ADDED] Verify that only allow-listed signing algorithms are allowed for a stateless token.757
3.5.6[ADDED] Verify that other, security-sensitive attributes of a stateless token are being verified. For example, in a JWT this may include issuer, subject, and audience.287
3.5.7[ADDED] Verify that all active stateless tokens, which are being relied upon for access control decisions, are revoked when admins change the entitlements or roles of the user.613

jmanico avatar Apr 13 '24 20:04 jmanico