-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement JWT aud claim as a security requirement #29
Comments
Below is an example of a malicious auth flow. This flow would result in a complete account takeover for anything using Abandon Auth. This attack would not be visible to the user as they would not be aware that they are logging in with abandon auth. User would believe they are just authenticating with Discord. |
We will represent the aud claim as a list of strings that will be developer application UUIDs |
We will again be changing the auth flow quite a bit to be the above. This will be discussed further in a TBD issue.
|
Summary
Currently all tokens are created identically, regardless of which service was intended to consume them. Any token created for a service can be used to authenticate on any other service. This is a large security vulnerability since we want this project to be publicly usable for any third-party services.
Right now, if
Service A
creates a login request with abandon auth, the token forService A
is valid for 60 seconds on any other service that uses abandon auth. SoService A
can use the login token it was given to authenticate withService B
. This is undesirable sinceService A
might be a website owned by a random individual, andService B
could be a production application owned by abandon tech or any other individual. It is not desirable that logging in withService A
would result inService A
fully owning your account forService B
. Therefore we need a way for each service to confirm that the token they were given is meant to authorize them with that respective service.The easiest (and most standard way) to solve this is by using the aud claim of the JWT.
We will require that all applications that wish to use abandon auth are given a client ID and client secret (a strong password/api token). When an application requests a login, it will also send its client ID and client secret to Abandon Auth. If the request succeeds (the client id and secret are authenticated/authorized) Abandon Auth will issue the login token with an
aud
that contains the client ID.Acceptance Criteria
Abandon Auth JWTs include the
aud
claim, the aud claim is the authenticated client ID of the client which invoked the request.The text was updated successfully, but these errors were encountered: