Clever Geek Handbook

How to Overcome Your SSO Danger Limitations: Encryption and Expired Tokens

I have created several related applications using Python and Flask. One of them is an authentication application where a user logs in and receives a token. Others are business applications that authenticate and authorize a user based on a token. Of course, the token needs to be signed to prevent tampering. Since I'm using Python, its dangerous module is a natural choice. But it doesn't provide some features that seem important. Writing your own security code alone is rarely a good idea, but I feel compelled to add my own code on top of it’s dangerous to address some of the limitations. I'd like to know:

and. Are the below problems? b. If so, can anyone recommend a good open source security solution for Python / Flask that addresses them?

The two limitations that worry me the most are:

  • Lack of encryption. Its dangerous can sign a token, but cannot encrypt it. The token can contain information that the user should not see, such as a list of the roles he or she received.

  • Leaked information about whether there was a valid expired token. An attacker who has a token can use it to distinguish between tokens that were never valid and tokens that were previously valid but expired. It would be better if such a user could only say that the token is invalid, without specifying the reason.

+3


source to share


1 answer


  • Lack of encryption. Its dangerous can sign a token, but cannot encrypt it. The token can contain information that the user should not see, such as a list of the roles he or she has received.

I see no harm in letting the user see which roles he lost. But if you don't want it to be visible in the token, you could just treat the token as an identifier and establish a relationship between the token and the user, and therefore the user's role.

If the token does contain personal data, you must first encrypt it (for example using PyCrypto ) and then sign it (for example using it dangerous or hmac ).



See Should we be MAC-then-encrypt or encrypt-then-MAC? for information on how to sign and encrypt data.

  1. Leaked information about whether there was a valid expired token. An attacker who has a token can use it to distinguish between tokens that were never valid and tokens that were previously valid but expired. It would be better if such a user could only say that the token is invalid, without specifying the reason.

If you encrypt the token, or if the token is just an identifier, then the attacker only needs to know if the token is valid (that is, it works right now), but if some other token would not be valid without using it directly. But why would one know in advance if the token is valid or not affecting security?

+3


source






More articles:


All Articles