Security of tokens

[apeters1971]

One should add some security related checks to file tokens, to make sure that these token files belong to the UID of the application reading it and that the permissions of this token files are private to others. Essentially the same security checks as we do for kerberos token files.

It maybe also useful to consider keyrings for the purpose of storing these tokens.

[bbockelm]

I don't mind at all giving some guidance; think we should be concerned that it'll be relatively Linux-specific?

Not sure how to cover use of keyrings in a 'recommendation' document like this. Probably should do some technical experiments first to figure out how to best use them.

[jbasney]

A few potential references:

• EUGridPMA Guidelines on Private Key Protection (https://www.eugridpma.org/guidelines/pkp/)
• OAuth 2.0 Security (https://tools.ietf.org/html/rfc6819) - "Administrators should undertake industry best practices to protect the storage of credentials..."

A few others that I looked at but don't appear to provide guidance specific to this topic:

• JSON Web Token Best Current Practices (https://tools.ietf.org/html/rfc8725) - At first glance I don't think this doc addresses credential storage.
• OAuth 2.0 Access Token JWT Profile (https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt-12) - At first glance I don't see anything in the Security Considerations section about token files.

[apeters1971]

Could you also define, if BEARER_TOKEN_FILE is allowed to be a symlink ?

[apeters1971]

Wouldn't it make sense to follow some well proven concepts, as they are used for example in kerberos: https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html

Instead of having three different variable names for environment, file or directory location, you use one with a sort of plug-in mechanism:

BEARER_TOKEN=FILE:/tmp/... or /tmp/file BEARER_TOKEN=DIR:/tmp/btdir/ or /tmp/dir/ BEARER_TOKEN=JWT:token or token BEARER_TOKEN=KEYRING:bearer-token aso ....

probably XDG_RUNTIME_DIR is not what is meant by DIR: .... I guess that is useful to keep ..

[DrDaveD]

Could you also define, if BEARER_TOKEN_FILE is allowed to be a symlink ?

If there is a security section, I think it makes sense to mention it. I don't know why a reader of the file would need to disallow it. I can see why it might be an issue for writing, but the document isn't about storing.

Instead of having three different variable names for environment, file or directory location, you use one with a sort of plug-in mechanism:

I think we wanted to specify the least common denominator, and specifying directories or keyrings is probably too complex for very simple clients. There's nothing preventing an advanced client from supporting additional options. To use something like DIR or KEYRING the way that kerberos does implies supporting multiple tokens and some kind of naming system.