Just adding basic token by POST parameter for securing the API. It is safe?

Let’s say I have an address for an API like this:

mywebsite.com/api/mydata 

If accessed, a JSON will appear like this:

[   {     "id":"1",     "name":"John"   },   {     "id":"2",     "name":"Smith"   } ] 

The result defaults will be displaying the entire data if a post has no parameters. If you use post "ID" and the ID parameter value is one of the existing data in the API, it will only display objects from the data selected based on the ID. The API can be accessed by anyone. API needs to be accessed using token parameters to secure the data.

Let’s say I add a token parameter to be able to access data like this:

yourtoken="yourtoken"  if (post_param[token]==yourtoken) {   // Displaying JSON } 

so if you want to open the API, you need to add a token parameter.

Is simple security like this worth using? what vulnerabilities will arise if I use this? is there a better way than this?

CSRF token not sent when calling the back-end?

My system composes of NuxtJs and AdonisJs application. Adonis handles csrf tokens for us by sending:

set-cookie: adonis-session=XXX; Path=/; HttpOnly set-cookie: XSRF-TOKEN=XXX; Max-Age=7200; Path=/; SameSite=Strict set-cookie: adonis-session-values=XXX; Path=/; HttpOnly 

Now from what I can see, it will set a cookie that can be sent only by a browser. And only if the host is the same. From my understanding, from that point on, browser is the one who will auto attach cookies like that to each request. The problem is, when Nuxt application is making an API request to the back-end I do not see any csrf token being sent when looking at the traffic trough BurpSuite.

And naturally adonis will reply with "Invalid CSRF Token", and respond with status code 500.

I’m not sure what am I missing, I fail to understand why browser is not sending that cookie. And just as the extra information I’ve failed to find it trough browser’s inspector window (Storage tab). Is it possible that the cookie is not set or?

I’ve seen other posts regarding this issue, but they where not helpful because the solution was composed of reading a cookie and manually sending it as the header. Which I do not advise, and is not the model I’m going to implement. I would rather leave it to the back-end framework and browser to do the job for me, because as we all know, there would be less room for me to make a mistake.

Thank you for reading this.

What is the difference between a multi-use and a single-use credit card token [closed]

We are a large e-commerce website trying to introduce a feature by which customers can save their credit card details securely. We are aware of the need for PCI compliance and working out the necessary security aspects. Will be great to know the difference between a single-use and a multi-use payment tokens. Examples of websites that use these types will be very useful.

Is it necessary to encrypt a JSON Web Token more than what is built-in?

As a developer I do have some understanding of OWASP, I am also a member of OWASP community, official due paying one. Anyway, what I may not understand is information security in that I am not a security engineer and so I pose the following question:

Is it necessary to encrypt and encode a JSON Web Token?

In my experience, no secure or confidential information should be in a JSON Web Token anyway, outside of the id and email of the user. I can imagine a customer such as a bank freaking out about that, but what can someone do with an email? The password is salted and hashed and also at least in the NodeJS world that is my wheelhouse, JSON Web Token is tamper resistant.

I can verify that a token was valid by using the signing signature and if it fails due to tampering then the services will no longer trust it, that simple no? Why would it be necessary to encrypt it, Encode it And whatever else an overzealous engineer can think of? What problem is it solving or what use case is it handling that is not already built-in? Is it because in other programming languages there are no libraries built-in that can run a jwt.verify() on the JWT?

Could the case described in this post be what the institution is trying to solve?

JWT(Json Web Token) Tampering

I understand that for a customer for whom this is a big deal, encrypting the cookie contents is an option, but would that be overkill?

How do I make sure access token comes from authenticated user?

My problem boils down to the use of Okta’s access tokens to secure api endpoint.

I followed this okta guide to set up a react single-page application with their wiget.

When I log into the site I get a access token to use with my api.

I tried to access my api with the access token following this guide

On the api side Okta recommended to verify the access token. When I use their OktaJwtVerifier to verify the token I get faced with a question. How does this verifier know that I gave them the token from a authorized state and not from someone hijacking the token?

The verifier supposedly asserts that

  • Signature is valid
  • Access token is not expired
  • The aud claim matches any expected aud claim passed to verifyAccessToken().
  • The iss claim matches the issuer the verifier is constructed with.
  • Any custom claim assertions that you add are confirmed

But the validator does not know where the token came from.

I noticed that the access token gets saved into localStorage.

Does this not open up for a impersination attack on the access token? Suppose someone got access to the localStorage and used the access token on my api without authenticating. I tested if this would work and it did.

How can I prevent someone from stealing and using my access token without authenticating ???

Refresh token using a separate auth server?

I’d like to use JWTs for user authorization. My intention is use an auth server and an app server to keep them separate. This way my auth server will be the only JWT issuing server and the only server w/login and sign up logic.

I’ve recently run into this issue however – how do I refresh a user’s access token if my auth server is separate?

I’d like to use middleware via node.js to check the validity of a JWT, but if it fails, I’d need to contact the auth server, present the user’s refresh token, to get a new access token.

So, what’s the best way to do this? Would I use middleware to issue a remote request to get a new JWT? It seems there’s no other way, so I thought I’d check w/the community.

Why is ID token used instead of Access token to get temporary credentials in AWS?

After a user logons to cognito, he receives access and ID tokens. the ID token contains sensitive info like phone number, email, etc..

From all standards – ID token should not be used to gain access to an API: https://auth0.com/docs/tokens?_ga=2.253547273.1898510496.1593591557-1741611737.1593591372

In the backend, to get a session credential (to work with AWS resources) – you typically do this:

identity_id_response = boto3.client('cognito-identity').get_id(     IdentityPoolId=identity_pool_id,     Logins={         provider: id_token #ID token! not access token     } ) 

Then:

provider = f'cognito-idp.{region}.amazonaws.com/{user_pool_id}'  response = boto3.client('cognito-identity').get_credentials_for_identity(     IdentityId=identity_id_response,     Logins={         provider: id_token #access token again     }, ) 

Then, you can use AccessKeyId, SecretKey, SessionToken etc..

This is problematic as what if you want to send the ID token to multiple services (via SNS, etc..) so you could perform processing on behalf of the user? you basically send a sensitive token that contains sensitive user data over the backend.

So – it requires an encryption before sending this token, which seems like an overhead.

Any thoughts?

Why does keycloak use HS256 algorithm to sign access token when client settings specify RS256?

I have the following setup with a keycloak authentication server and an application:

  1. user logs in on application client side, send un/pw to server
  2. application server sends un/pw to keycloak server for a token
  3. keycloak server sends a token back to application server
  4. application server outputs web page with sensitive data

I want to use RS256 to sign my tokens. When I try to get a token on the client side, they are corectly signed with RS256, but as soon as I try to get one on the server, HS256 is used. How can I set keycloak to use RS256 in both cases?

I use the /auth/realms/{REALM_NAME}/protocol/openid-connect/token endpoint and keycloak 10.0.1.

Keycloak configuration:

  • keys
    • realm keys are HS256, AES, and RS256 (listed in this order) all with a priority of 100 (EDIT: even if I set the RS256 key priority to a higher value, HS256 is used)
    • default signing algorithm for the realm is set to RS256
  • client
    • access token signature algorithm and ID token signature algorithm for the client are set to RS256
    • the client is public
    • Valid redirect URIs contain the domain where the application server is currently running (which is localhost but my computer has a domain name)
    • Web origins is set to "+" (which as far as I’m aware copies entries from valid red. uris)

Google seems to return no results related to my problem.

Security concern on locally stored authentication token

It is a common method on mobile applications to allow users to bypass authentication process by verifying a locally stored token (previously authenticated) on device.

This is to strike a balance between usability (avoiding authentication every time) and security.

  1. Are there any security holes in this process?
  2. What are measures to be taken to strengthen this method?