traefik-forward-auth0 icon indicating copy to clipboard operation
traefik-forward-auth0 copied to clipboard

Published 20 hours ago verified publisher icon dniel

Encrypt JWT_TOKEN in cookie

Open dniel opened this issue 5 years ago • 1 comments

The JWT_TOKEN contains the user info of a user and should be protected. It is intended to only the application that sent the client-id and client-secret and should not be passed around to other applications. To make ForwardAuth the only application able to read the session token the whole token should be encrypted. Other applications should get the needed user info from HTTP-headers set by ForwardAuth or use the User info endpoint #51

Maybe implement a feature toggle for encryption so that its easier for local development and if someone wants to use an unencrypted JWT_TOKEN anyways to pass the user profile around.

dniel avatar Mar 05 '19 20:03 dniel

See https://tools.ietf.org/html/rfc7516 for JWE specification

dniel avatar Mar 14 '19 14:03 dniel