Skip to content

Instantly share code, notes, and snippets.

@nicolasdao

nicolasdao/online_security_guide.md

Last active May 2, 2024 02:14
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save nicolasdao/b60d0f4361c04e62fadeeaa66ef59e5f to your computer and use it in GitHub Desktop.
Save nicolasdao/b60d0f4361c04e62fadeeaa66ef59e5f to your computer and use it in GitHub Desktop.
Download ZIP
Online security guide. Keywords: security
Raw
online_security_guide.md

ONLINE SECURITY GUIDE

Table of contents

Open ID Connect (OIDC) and OAuth2

ID token vs Access token vs Refresh token

In the OIDC protocol:

  • ID token is a JWT token (usually short-lived) that contains explicit claims about the agent's identity. It is an optimization strategy to access identity data quickly without having to execute a lookup in a slower persistent storage. ID token are used for authentication, not for resource access. They do not define the concept of scopes.
  • Access token can be a JWT token (usually short-lived), but this is not a requirement. They are used as bearer token to validate resources access. That validation is done via scopes. The only piece of identity that am Access token contains is the agent's ID.
  • Refresh token. A refresh token is a long-lived token whose purpose is to renew short-lived tokens (ID token or Access token). This helps preventing man-in-the-middle attack by refreshing often the short-lived token. The refresh token cannot be used to authenticate or authorize an agent access. It can only be used to renew a token. Because thise renewal happens infrequently, it should decrease (but definitely not remove) the risk of being intercepted. Refresh tokens are highly sensitive and must be stored with extreme care. When they are used in a web browser, it ise recommended to store them in a http-only cookie (more details in this article). It is also recommended to support the ability to revoke them for all or some of your agents in case of security breach.

References:

JWT structure

https://medium.com/@darutk/understanding-id-token-5f83f50fa02e

Standard claims

The OAuth2 protocol does not impose any rules on how to build tokens, but the OIDC does. OIDC uses a series of reserved claim names (for an exhaustive list, please refer to https://tools.ietf.org/html/rfc7519#section-4). For example, with OIDC, an ID token must be a JWT token containing the following claims at a minimum:

  • iss - Issuer: Principal that issued the JWT.
  • sub - Subject: Principal that is the subject of the JWT.
  • aud - Audience: Recipients that the JWT is intended for.
  • iat - Issued At: Time at which this token was created expressed in epoch seconds.
  • exp - Expiration: Time at which this token expires expressed in epoch seconds.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment