Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify token validation to resolve #2360 #2431

Merged
merged 2 commits into from
Dec 5, 2024
Merged

Clarify token validation to resolve #2360 #2431

merged 2 commits into from
Dec 5, 2024

Conversation

tghosth
Copy link
Collaborator

@tghosth tghosth commented Dec 5, 2024

This Pull Request relates to issue #2360

@tghosth
Copy link
Collaborator Author

tghosth commented Dec 5, 2024
edited
Loading

@randomstuff @TobiasAhnoff @elarlang

@tghosth tghosth mentioned this pull request Dec 5, 2024
Closed
@tghosth tghosth enabled auto-merge (squash) December 5, 2024 11:40
@tghosth tghosth merged commit fb17168 into master Dec 5, 2024
6 checks passed
elarlang
elarlang approved these changes Dec 5, 2024
View reviewed changes
Copy link
Collaborator

@elarlang elarlang left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I approve this one, but I'm not sure should all of them be level 1 requirements.

@tghosth tghosth deleted the resolve-2360 branch December 5, 2024 19:25
@elarlang elarlang mentioned this pull request Dec 5, 2024
Closed
randomstuff
randomstuff reviewed Dec 5, 2024
View reviewed changes
5.0/en/0x52-V52-Tokens.md Outdated
| **52.1.1** | [MOVED FROM 3.5.3, MODIFIED, LEVEL L2 > L1] Verify that the authenticity of cryptographically secured tokens is validated using their digital signature or MAC to protect against tampering before accepting the token's contents. | ✓ | ✓ | ✓ | 345 |
| **52.1.2** | [ADDED] Verify that only algorithms on an allowlist are used to create and validate cryptographically secured tokens. The allowlist must only include algorithms which are considered strong for this purpose according to current recommendations (such as PS256 for JWTs) and must not allow integrity validation to be ignored (such as accepting the 'None' algorithm for JWTs). | ✓ | ✓ | ✓ | 757 |
| **52.1.3** | [ADDED] Verify that when the application validates the authenticity of a cryptographically secured token, it only uses key material for the specified cryptographic algorithms and intended usages, to prevent key confusion attacks. For keys provided in JWK format, this can be done by validating the 'kty', 'use', 'key_ops', or 'alg' headers. | ✓ | ✓ | ✓ | |
| **52.1.4** | [ADDED] Verifythat the application validates the authenticity of a cryptographically secured token based on key material that is bound to the token issuer. For JWTs and other JWS structures, if the application resolves the key material based on the 'jwk', 'jku', 'x5u' or 'kid' headers, it must interpret and validate (for example using an allowlist) these values depending on the token issuer. | ✓ | ✓ | ✓ | |
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing comma. "Verify that"

@randomstuff
Copy link
Contributor

I approve this one, but I'm not sure should all of them be level 1 requirements.

Maybe 52.1.3 might be level 2. For the other ones, I think they definitely have to be level 1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@randomstuff randomstuff randomstuff left review comments

@elarlang elarlang elarlang approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tghosth @randomstuff @elarlang