Open Closed

JSON web token observation #1457

User avatar
0
Repunjay created

Creating a new ticket to share more details as I cannot update the existing ticket - https://support.abp.io/QA/Questions/1352/Identity-server-token

As part of web application assessment, there was an observation reported about JWT tokens.

The JSON web token (JWT) for your web application was not encrypted, allowing the data within it to be inspected with trivial effort. This revealed the email (username) and expiration date of the token.

Recommendation is to either -

  1. Remove sensitive data from the payload if it is not required - Not sure if this is possible and application will work

  2. Instead of placing sensitive data in the payload, use an indirect object reference which is resolved on the server side - Not sure if this is possible and application will work

  3. Encrypt the JWT payload using the JSON web encryption (JWE) scheme

  4. Encrypt sensitive data within the JWT payload using a custom process.

I understand that this is not related to the framework and it is the subject of Identity Server but we don't have much control over it as the Identity server is integrated within the framwework itself. Can you guide us to remediate this issue based on recommendations mentioned above. Need to know what changes will be required in existing application code to handle it.

Thanks

Go to accepted answer
2 Answer(s)
Assignee
User avatar maliming
Labels
None yet
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
Do you need assistance from an ABP expert?
Schedule a Meeting
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v9.3.0-preview. Updated on April 16, 2025, 12:13