Feature Request - Optional Implementation of OWASP recommendations

[james-bw]

OWASP has a bunch of recommendations for JWT security to prevent:

• None hashing algorithm
• Token sidejacking
• Token revocation (block list)
• etc

It would be great if these were configurable options on the Firebase Authentication of this library that we could enable and configure on an as-needs basis.

For example, a potential implementation of the Token Sidejacking validation would be for src/JWT/Action/VerifyIdToken/WithLcobucciJWT.php handle() function to add an additional validator to validate .withClaim("userFingerprint", userFingerprintHash).

As this is not a core function of the encoding/decoding of the token (which would imply updating the Lcobucci/JWT library), I think these changes live in this library.

[jeromegamez]

Thanks for raising this topic! However, I'm not sure they apply here. Firebase ID tokens are issued by the Firebase backend, not the SDK.

The SDK uses lcobucci/jwt only to parse these tokens and verify them, again with the Firebase backend. Custom tokens generated are only usable with the application's project and used within the official Firebase Client SDKs.

Could you please provide more details on what exactly you want to be made configurable and give reproducible examples if you see any problems or exploits?

[james-bw]

As noted in the content above

For example, a potential implementation of the Token Sidejacking validation would be for src/JWT/Action/VerifyIdToken/WithLcobucciJWT.php handle() function to add an additional validator to validate .withClaim("userFingerprint", userFingerprintHash).

As this is not a core function of the encoding/decoding of the token (which would imply updating the Lcobucci/JWT library), I think these changes live in this library.

[james-bw]

The Block List for token revocation could be implemented using your src/JWT/Action/FetchGooglePublicKeys/WithPsr6Cache.php, and then again the src/JWT/Action/VerifyIdToken/WithLcobucciJWT.php handle() function could validate that the token does not exist in the block list.

[jeromegamez]

Thank you for your suggestion, but the Firebase Auth Backend provides neither a user fingerprint nor a blocklist.

Custom tokens generated with this library are passed on to a Firebase Client which uses them to authenticate with the Firebase backend, ID tokens received from the Firebase backend are verified by checking the presence and validity of the given claims and that they are signed with one of Google's keys.

• https://firebase.google.com/docs/auth/admin/create-custom-tokens#create_custom_tokens_using_a_third-party_jwt_library
• https://firebase.google.com/docs/auth/admin/verify-id-tokens#verify_id_tokens_using_a_third-party_jwt_library

Also, this library also doesn't revoke tokens. Token revocation is present in the PHP Firebase Admin SDK, but this is done by sending an authenticated request to the Firebase backend.

If you think that ID Tokens should have a user fingerprint or that Firebase/Google should provide a blacklist, please direct your suggestions directly to Firebase/Google at https://firebase.google.com/support