Why is ID token used instead of Access token to get temporary credentials in AWS?

After a user logons to cognito, he receives access and ID tokens. the ID token contains sensitive info like phone number, email, etc..

From all standards – ID token should not be used to gain access to an API: https://auth0.com/docs/tokens?_ga=2.253547273.1898510496.1593591557-1741611737.1593591372

In the backend, to get a session credential (to work with AWS resources) – you typically do this:

identity_id_response = boto3.client('cognito-identity').get_id(     IdentityPoolId=identity_pool_id,     Logins={         provider: id_token #ID token! not access token     } ) 

Then:

provider = f'cognito-idp.{region}.amazonaws.com/{user_pool_id}'  response = boto3.client('cognito-identity').get_credentials_for_identity(     IdentityId=identity_id_response,     Logins={         provider: id_token #access token again     }, ) 

Then, you can use AccessKeyId, SecretKey, SessionToken etc..

This is problematic as what if you want to send the ID token to multiple services (via SNS, etc..) so you could perform processing on behalf of the user? you basically send a sensitive token that contains sensitive user data over the backend.

So – it requires an encryption before sending this token, which seems like an overhead.

Any thoughts?

**Hostpoco.com| OpenVZ VPS | Full Root/SSH Access| 1 IPv4 | free setup!

Hostpoco.com believes that providing high-quality services should come at an affordable price. For this reason, we have provided exceptional plans, at the lowest prices, for the best services possible, on our fastest nodes ever. 
All our VPS hosting plans comes with full root access, dedicated IP, free RDNS, and free re-installations. Just Sign up and be online within Hour with our instant & free setup!

 Main Features
•    Technical Support Available 24/7/365
•    99.9% Uptime Guarantee 
•    Full Root/SSH Access
•    1 IPv4 included
•    Additional IPv4 Address Just $2.50/Month
•    cPanel/whm License $14/month 
•    DirectAdmin license $8/month
•    VPS Type OpenVZ

We are a provider of shared, dedicated, reseller, and VPS hosting, Domain as well as web design services.

Our plan:
*VPS Startup: $14.99/month
~ 1024 MB Memory
~ 30 GB Raid 10 Storage
~ 2 TB Monthly Traffic

*VPS Pro:$24.99 /Monthly
~ 2048 MB Memory
~ 60 GB Raid 10 Storage
~ 3 TB Monthly Traffic

*VPS Premium:$44.99 /Monthly
~ 4096 MB Memory
~ 120 GB Raid 10 Storage
~ 4 TB Monthly Traffic

*VPS Elite:$84.99 /Monthly
~ 8192 MB Memory
~ 180 GB Raid 10 Storage
~ 8 TB Monthly Traffic

More plans: https://hostpoco.com/cheap-us-vps-hosting.php

Check Our Reviews:
https://hostadvice.com/hosting-company/hostpoco-reviews/

Thank You.

Are web worker / service worker secure environments to store a password, credit card information, access tokens?

If there is a case where I wish to store sensitive data like a password, credit card information, or access tokens:

Are web workers / service workers a secure environment, where such data can not be compromised? If so, what to do to really secure it? If not so, why not exactly?

Why does keycloak use HS256 algorithm to sign access token when client settings specify RS256?

I have the following setup with a keycloak authentication server and an application:

  1. user logs in on application client side, send un/pw to server
  2. application server sends un/pw to keycloak server for a token
  3. keycloak server sends a token back to application server
  4. application server outputs web page with sensitive data

I want to use RS256 to sign my tokens. When I try to get a token on the client side, they are corectly signed with RS256, but as soon as I try to get one on the server, HS256 is used. How can I set keycloak to use RS256 in both cases?

I use the /auth/realms/{REALM_NAME}/protocol/openid-connect/token endpoint and keycloak 10.0.1.

Keycloak configuration:

  • keys
    • realm keys are HS256, AES, and RS256 (listed in this order) all with a priority of 100 (EDIT: even if I set the RS256 key priority to a higher value, HS256 is used)
    • default signing algorithm for the realm is set to RS256
  • client
    • access token signature algorithm and ID token signature algorithm for the client are set to RS256
    • the client is public
    • Valid redirect URIs contain the domain where the application server is currently running (which is localhost but my computer has a domain name)
    • Web origins is set to "+" (which as far as I’m aware copies entries from valid red. uris)

Google seems to return no results related to my problem.

*[Hostpoco.com]SSD VPS Hosting + 1 IPv4 + Root / SSH Access + Free Setup.

Hostpoco.com provides SSD VPS Hosting plans that are perfect for everyone who wants full root access to their server. Our managed plans allow you to gain the control you need while still keeping a little extra support to help you accomplish your goals much faster, making them perfect for website owners who are not too familiar with the server-side of web hosting.

We’re deploying premium Intel Xeon servers with full-SSD / HDD storage in premium data centers connected to redundant Tier 1 internet providers. Our fast servers come with a 24/7 super-fast technical support service. Also, all our VPS hosting plans comes with full root access, dedicated IP, free RDNS, and free re-installations. Just Sign up and be online within Hour with our instant & free setup!

====================
*VPS Hosting Feature
====================
~ VPS Type OpenVZ
~ Premium Bandwidth
~ Free Setup
~ 99 % Uptime Guarantee
~ 24/7 Live Support
~ Root / SSH Access

========
*VPS Plan
========
*VPS Startup:$14.99 /Monthly
– 1024 MB Memory
– 30 GB Raid 10 Storage
– 2 TB Monthly Traffic

*VPS Pro:$24.99 /Monthly
– 2048 MB Memory
– 60 GB Raid 10 Storage
– 3 TB Monthly Traffic

*VPS Premium:$44.99 /Monthly
– 4096 MB Memory
– 120 GB Raid 10 Storage
– 4 TB Monthly Traffic

*VPS Elite:$84.99 /Monthly
– 8192 MB Memory
– 180 GB Raid 10 Storage
– 8 TB Monthly Traffic

For more details: https://hostpoco.com/cheap-us-vps-hosting.php

Thank you.

Can a hacker access your email address and then choose to do nothing?

Okay, I know my question might sound a bit weird, but I am in a situation where I need knowledge on the subject (btw, if someone can assure me that there was never a Discord or Google data breach since 2018, even unknown to the public, I would be grateful).

I have done a bit of research on what hackers look for in an email address, and it looks like any information is valuable to them, but a friend that knows about the subject has told me that it was possible that a hacker decides to do nothing to your account if you’re "broke or a child".

I was confused, because I think even in that case, it would be possible (and useful) for them to send emails to my contacts on my behalf or log me out and ask for ransom or something like that.

So, is it really possible that a hacker just gives up on your address, and if so, how likely is that ?

No way of restricting public access to Firestore/API

Just glancing at GCP offerings for storing data, I noticed that while using Firestore, the only control for restricting public access is via security rules. However, in case of mis-configuration of security rules or compromise on access tokens/keys the data store becomes absolutely public available at:

https://firestore.googleapis.com/v1/projects/<YOUR_PROJECT_ID?/databases/(default)/documents/*/** 

What’s the way of completely blocking public access here (or restrict access to certain whitelisted IPs)? I am aware that we cannot put managed services inside a VPC.

Major security and usability flaw in Linux (root privileges and sudoers, folder access restriction, Ubuntu Linux)

Alright, let me give you the context. I am a business owner with strong technical background, say a programmer, though not an advanced system administrator. I’ve bought a VPS server where I want to host several applications and webpages. One of the apps consists of backend, admin frontend and user frontend, another one is just backend and frontend. So 5 different programmers develop those apps. From time to time, as the development takes its place, those programmers need to install and upgrade some packages, modify system configs and so on, i.e. they need ssh access and some root privileges.

And here is the tricky part. It is obvious that I don’t want them to see and gain access to the folders they are not supposed to see, i.e. the devs of the first app shouldn’t have access to the folders of the second app and vice versa. Moreover the backend dev of the first app shouldn’t have access to the frontend folders of the same app and the same goes for the second app. Also I would like to restrict access for them to certain commands like visudo or reboot, so they wouldn’t be able to lock me out of my own server or reboot it without my consent.

Now, if I give them sudo privileges for them to be able to run administrative tasks needed for their development – then they have access to everything and it becomes practically impossible to restrict access for them to certain folders and commands. On the other hand if I DON’T give them sudo privileges, then it becomes a huge pain for me to every time install packages and give them access to certain files and commands they need to continue development. There are over 1500 commands and the corresponding number of system files in Linux they could potentially need access to, so it’s very VERY unconvenient for me to spend so much time to administer the VPS, especially getting the fact that I’m not a very advanced system administrator and I don’t have much time because I need to run my business.

There are already numerous posts and threads on the Internet where people try to find solutions to somewhat close problems like these: One, Two, Three, Four, Five, Six, Seven, Eight, Nine, and they still have no reasonable solutions to them, only those that involve some supercomplex activities and anyway not giving a needed result.

So from my point of view as a business owner it should be something like this: there is a root user who can do everything. He can create admins and define access rights for them, for example in that very sudoers file. Then it’s his decision whether to give access to an admin to the sudoers file itself and any of the folders and commands of his choice. For example an admin could be able to run any command in the system except “reboot” and “visudo” and he can access all files and folders except /etc/sudoers and say /var/www/private_folder even WITH sudo privileges invoked (meaning he can’t even copy those files, overwrite them, chmod and chown them and so on, i.e. access them with any command).

That would immediately make the whole system administration A LOT more easier and logical, eliminating the need for complex solutions like chroot jails, separate bash environments, splitting servers into virtual machines, using containers and so on. And it’s so simple, a matter of a couple of conditions in the code, if I understand it correctly from a developer’s perspective. Also, I want to be in control of my VPS, not having to trust any other third person believing he/she won’t steal my information and/or destroy my whole system either by making a mistake or intentionally and basically it can be considered as a serious security vulnerability from a certain point of view.

This seems so obvious and logical for me, that I was really discouraged and embarrassed that it’s really isn’t like that in Linux. Maybe 20 years ago when Linux was created it was enough to have only a root and sudoers and the rest of users to accomplish tasks they had at that time, but today everything goes a bit different way already and that archaic approach is not usable anymore.

Of course I realize I can understand something wrong and there is a strong reason why it has to be as it is, then please let me know why is it so and what is a correct and easy way of solving my problem described above without a need to build a behemoth on my VPS or manually administering it all the time by myself. After all it should be user-friendly, right? Now it’s not.

On the other hand if there is no such a solution, then I would really be willing to even pay someone who could implement some kind of a patch or a package that will allow to solve this problem.

Giving different passwords to the app servers to access the same database. Pros and Cons?

Let’s say we have

  • one db server.

  • three app servers with full database access.

Which scenario is the best?

  1. Each app server connects to that one database with different passwords.

Example: app srv 1 uses : “$ PSD$ Passwrod3” and app srv 2 uses “sometH$ ing else13pass” and so on.

  1. Every app server connects to that one database server with the same db password.

Technically, even if the servers have three different passwords, if one is hacked, the hacker will have full access to the database. So, we can use one password to make things easy for developers.

Is there any counter explanation that would justify using three different db passwords to “increase security”?