Uploaded image for project: 'AeroGear'
  1. AeroGear
  2. AEROGEAR-4381

Implement a function to check the Integrity of the Identity/Access Token

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • None

      What

      We should verify that the access token was signed using the Keycloak realm that it originated from to prevent tampering on the client side.

      Why

      To prevent the possibility of a malicious user tampering with the access token to add additional roles to attempt to bypass some access control checks in the mobile app.

      How

      This should be called before carrying out access control decisions within the app (It can probably be part of the getRoles function in AGDROID-684). This function should confirm that the Access token was signed using the realm that the client interact's with. The public key of the realm can probably be hard coded in the application and used for digital signature checks.

      The issuer can be matched too - http://localhost:8080/auth/realms/MY_REALM to the issuer of the JWT.

      Perhaps there can be a verifyToken() and a verifyIssuer()

      Note: This probably doesn't need to be exposed by the SDK. Its probably just an additional check to perform.

            akeating-1 Aiden Keating (Inactive)
            tjackman_jira Tom Jackman (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved:

                Estimated:
                Original Estimate - 1 day Original Estimate - 1 day
                1d
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 2 days, 6 hours
                2d 6h