Skip to content

Update: [JSON_Web_Token_Cheat_Sheet] Token Infirmation DisclosureUpdate: [JSON_Web_Token_Cheat_Sheet] #2275

Description

@randomstuff

What is missing or needs to be updated?

The Token Disclosure section of the JWT cheat sheet mentions encryption of the JWT with AEAD.

The example encrypts the raw token using AES-GCM.

Several things are somewhat weird / not clear:

  • it is not clear is we are talking about encryption during transmission on the token or at rest encryption;
  • it is not talking about using en encrypted JWT (JWE).
Aead aead = AeadFactory.getPrimitive(keysetHandle);
byte[] cipheredToken = aead.encrypt(jwt.getBytes(), null);
return DatatypeConverter.printHexBinary(cipheredToken);

The implementation might be OK for at-rest encryption (but is not specific to JWTs).

The implementation is weird if we are talking about transferring the JWT. In this case, we expect to use a JWE.

How should this be resolved?

I would probably remove this section nearly entirely and mention using encrypted JWE (JWE) in this case.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ACK_WAITINGIssue waiting acknowledgement from core team before to start the work to fix it.HELP_WANTEDIssue for which help is wanted to do the job.UPDATE_CSIssue about the update/refactoring of a existing cheat sheet.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions