giridharvc7
commented
1 year ago Thank you for reporting this, I agree there should be some warning on this behaviour. Meantime, you can store your Private key in an environment variable, this should ensure some level of data security around your private key not being exported by mistake with the collection json.
Also, in environment variables, only the initial values are synced, current values aren't synced with Postman cloud - you can also leverage this when storing your Private keys in environment
Is there an existing issue for this?
Describe the Issue
When using a service principal private key (RS256 Algorithm) to generate a self-signed JWT, the private key is exposed in several ways:
1) on the authorization configuration screen, there is no "hide" button like we have for secrets in the variables 2) when exporting the workspace, the private key is included in the json output with no indication to the user (no option to redact secrets) 3) since the workspace is stored in the cloud, it violates the principle of not having the secret pass through the network. one of the reasons a JWT is used in the first place is to avoid this very thing by sending a signed token rather than sending the secret itself. I don't consider this a feature request and it is likely "working as designed." In that case, the design would have the defect. Yes, the transport and storage layers of it are very secure, but security principles require us to secure every layer of communication, not relying on other layers. The app should not save the private key in the workspace/collection, but rather refer to the source file that it came from. Better yet, store the key in the computer's keychain/wallet specific to the OS like other apps such as web browsers.
Steps To Reproduce
Screenshots or Videos
No response
Operating System
macOS
Postman Version
10.17.2
Postman Platform
Postman App
User Account Type
Signed In User
Additional Context?
No response