堆栈内存溢出
  简体   繁体   English

JWE 如何处理 OIDC 中的请求对象

[英]How JWE works with Request Object in OIDC

 原文  2022-07-12 08:10:56       encryption/ openid-connect/ jwe

问题描述

I wanted to use encrypted local PASETO tokens for the Request Object in the OIDC, but it turns out that I need to store the key somewhere to decrypt this request object, and it must be available unencrypted/unhashed as it will need the Request Object to decrypt.我想为 OIDC 中的Request Object使用加密的本地 PASETO 令牌,但事实证明我需要将密钥存储在某处以解密此请求对象,并且它必须是未加密/未散列可用的,因为它需要Request Object解密。 So I will have to store it as plain text in a database?所以我必须将它作为纯文本存储在数据库中? Pretty dangerous.相当危险。 So I started to wonder how JWE works, but the documentation from https://datatracker.ietf.org/doc/html/rfc7516#section-5.1 about JWE encryption is quite confusing for me.所以我开始想知道 JWE 是如何工作的,但是https://datatracker.ietf.org/doc/html/rfc7516#section-5.1中关于 JWE 加密的文档让我很困惑。 Does JWE solve this problem of storing a symmetric key in a database as plain text or does it have other ways? JWE 是否解决了将对称密钥作为纯文本存储在数据库中的问题,还是有其他方法?

1 个解决方案

解决方案1
 1 已采纳  2022-07-12 13:13:38

There are a few different solutions here, which solve different problems:这里有几种不同的解决方案,可以解决不同的问题:

ENCRYPTED JWTs加密的 JWT

These can be used when the app wants to prevent information disclosure.当应用程序想要防止信息泄露时,可以使用这些。 They are issued by the Authorization Server, which uses a public key to encrypt them.它们由授权服务器发布,授权服务器使用公钥对其进行加密。 There is then a burden on the app to maintain a private key to decrypt them.然后应用程序有负担维护私钥来解密它们。 See the Encrypted ID Tokens for some example usage.有关示例用法,请参阅加密的 ID 令牌

REQUEST OBJECTS请求对象

These are often used to protect against man in the browser tampering.这些通常用于防止man in the browser篡改。 The app only needs to deal with public keys, which it already has access to, so the solution is easier to manage.该应用程序只需要处理它已经可以访问的公钥,因此该解决方案更易于管理。 Newer standards such as PAR and JARM are used, as in this summary .本摘要所示,使用了PARJARM等较新的标准。

JWT INFORMATION DISCLOSURE智威汤逊信息披露

If you want to avoid revealing sensitive data in access token JWTs, then the usual technique is to return only opaque access tokens to internet clients.如果您想避免在访问令牌 JWT 中泄露敏感数据,那么通常的技术是仅将不透明的访问令牌返回给 Internet 客户端。 This is easier to manage than encryption.这比加密更容易管理。 See the Phantom Token Pattern for how this works.请参阅Phantom Token Pattern了解其工作原理。

SUMMARY概括

I would usually avoid introducing key management into apps.我通常会避免将密钥管理引入应用程序。 Aim to manage this in the Authorization Server instead.旨在改为在授权服务器中进行管理。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用 JWE 生成 JWT/JWS - How to generate a JWT/JWS with JWE 如何使用node-jose生成加密的JWE - how to generate encrypted JWE with node-jose 如何为JWE实现生成内容加密密钥 - How to generate Content Encryption Key for JWE implementation 如何实现与JOSE / JWE / JWT一起使用的concat KDF - How to implement a concat KDF for use with JOSE/JWE/JWT 如何在java中使用私钥解密JWE(Json Web Encryption)数据 - How to decrypt JWE(Json Web Encryption) data using private key in java 当加密令牌以String形式存在时,如何解密用JWE加密的Java中的JWT? - How to decrypt a JWT, in java, which is encrypted with JWE when the encrypted token is present in form of String? 嵌套的 JWS + JWE 与带有经过身份验证的加密的 JWE - Nested JWS + JWE vs JWE with Authenticated Encryption 如何使用存储在 HSM 中的公钥将 json 字符串加密为 JWE(Json Web 加密)? - How to encrypt a json string as JWE (Json Web Encryption) by using public key stored in HSM? 如何解密C#中的JWE源码(使用RSA1_5 A256CBC-HS512加密)? - How to decrypt JWE source (encrypted with RSA1_5 A256CBC-HS512) in C#? 结合JWE和JWS - Combining JWE and JWS
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM