search

dniel / traefik-forward-auth0

A backend for performing forward authentication with Auth0 using the Traefik reverse proxy.
GNU General Public License v3.0
85 stars 15 forks source link

Encrypt JWT_TOKEN in cookie #52

Open dniel opened 5 years ago

dniel commented 5 years ago

The JWT_TOKEN contains the user info of a user and should be protected. It is intended to only the application that sent the client-id and client-secret and should not be passed around to other applications. To make ForwardAuth the only application able to read the session token the whole token should be encrypted. Other applications should get the needed user info from HTTP-headers set by ForwardAuth or use the User info endpoint #51

Maybe implement a feature toggle for encryption so that its easier for local development and if someone wants to use an unencrypted JWT_TOKEN anyways to pass the user profile around.

dniel commented 5 years ago

See https://tools.ietf.org/html/rfc7516 for JWE specification