-
Task
-
Resolution: Done
-
Major
-
None
-
None
-
None
-
MCP Service Team 1 Sprint 2, MCP Team 1 Sprint 3
What
We should verify that the access token was signed using the Keycloak realm that it originated from to prevent tampering on the client side.
Why
To prevent the possibility of a malicious user tampering with the access token to add additional roles to attempt to bypass some access control checks in the mobile app.
How
This should be called before carrying out access control decisions within the app (It can probably be part of the getRoles function in AGDROID-684). This function should confirm that the Access token was signed using the realm that the client interact's with. The public key of the realm can probably be hard coded in the application and used for digital signature checks.
The issuer can be matched too - http://localhost:8080/auth/realms/MY_REALM to the issuer of the JWT.
Perhaps there can be a verifyToken() and a verifyIssuer()
Note: This probably doesn't need to be exposed by the SDK. Its probably just an additional check to perform.
- relates to
-
AEROGEAR-4304 Implement a function to get a list of Users Roles
- Resolved