Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add data protection to DatabaseJsonWebKeyStore and FileSystemStore #64

Open
sherlock1982 opened this issue May 15, 2024 · 2 comments
Open

Add data protection to DatabaseJsonWebKeyStore and FileSystemStore #64

sherlock1982 opened this issue May 15, 2024 · 2 comments

Comments

@sherlock1982
Copy link

sherlock1982 commented May 15, 2024
edited
Loading

Recently switch from DataProtectionStore to DatabaseJsonWebKeyStore and noticed that no DataProtection is present.
It looks to me that mentioned stores are generally less secure than default one.

Note that for example MsalDistributedTokenCacheAdapterOptions has an option to Encrypt (default false):

        services.Configure<MsalDistributedTokenCacheAdapterOptions>(options =>
        {
            // Just for extra security here
            options.Encrypt = true;
        });

I added protection to DatabaseJsonWebKeyStore like this:

            keyModel.Property(key => key.Parameters).HasColumnName("parameters").HasConversion(
                val => Protect(val), dbVal => Unprotect(dbVal)
            );

With:

    string Protect(string val)
    {
        return dataProtector.Protect(val);
    }

    string Unprotect(string dbVal)
    {
        try
        {
            return dataProtector.Unprotect(dbVal);
        }
        catch
        {
            // Something bad but also maybe unprotected payload
            return dbVal;
        }
    }

But I think would be nice to have it in the stores out of the box.

The other option will be to add protection at a higher level for KeyMaterial but that won't work good for some scenarios. For example I'd like to store a public key separately so I can access it from other services but keep private key only to the specific service.
@brunobritodev
Copy link
Member

I agree with you and have some additional thoughts on this matter.

This component was created to handle JWT in high availability scenarios. One of the reasons for not encrypting data before persisting it in other stores is that we cannot guarantee developers will configure DataProtection properly. In high availability scenarios, where multiple instances may exist, some of them might be unable to decrypt the content, leading to exceptions in the component.

However, the DefaultStore (added in more recent versions) uses DataProtection.Repositories, which minimizes this risk. This ensures that in high availability scenarios, DataProtection must be configured, thus maintaining data integrity across instances.

Although I have explained the reasons, I no longer hold a strong opinion on this matter. What are your thoughts on this?

@sherlock1982
Copy link
Author

sherlock1982 commented May 31, 2024
edited
Loading

Well first of all thanks for the lib! I was playing with it a lot and found it very nice.

In my final approach I decided to change implementation of JwtService and KeyMaterial.
I added extra column to KeyMaterial called PublicKey and store there public key unencrypted. While parameters go encrypted.
Revoke simply cleans up Parameters column.

This solved the following things for me:

  1. Another service accesing the database who wants to check token signature can do it quite easily. I have some services that in the future should only check signatures but not issue tokens.
  2. If DB is somehow stolen or select SQL injection executed private key is not exposed.
  3. If I want to make a backup of keys to restore them on a different machine I can easily do it dropping private keys and simply restoring tokens for signature verify only. Therefore even if backup is stolen they can't generate new tokens.
  4. I had to change implementation to the one I mentioned in Prefer using IssuerSigningKeyResolver over cleaning TokenHandlers #66 and simply access PublicKey for verification. It means i don't really need GetKeys() function basically and I can access certain key already knowing it's kid
  5. If I have an issue with DataProtector. For example key is lost it's ok - I just generate a new key but still can have old keys for verification

I also noticed that I can't really make a key invalid so a new key will be generated if I can't Unprotect the key. This is why I also adjusted it and moved data protection to JwtService layer.

And yes I added a semaphore for GetCurrentCredentials function because it will generate multiple keys at the same time.

And one more thing - you remember the issue with casing in the key. The problem here is the lib doesn't behave well if for some reason such issue happens. Becuase it simply throws the exception from GetSecurityKey.
You can of course catch it and generate a new key but in this case GetLastKeys() will throw an exception in the token handler.
So another reason for me to change implementation here.

We can close this discussion - just wanted to share my findings on this :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brunobritodev @sherlock1982