Hi guys , I have read most of the documentations regarding the JWT Token Assertion, but i want to make sure some things like this token being an ‘opaque’ token, can anyone explain it in a more simpler way ? Do we need to actually verify this jwt token assertion in upstream services?
Does that mean there are risks if we actually forward access token and/or idToken to internal upstream services? What are the risks if we do that?
1 Like
can anyone explain it in a more simpler way
Pomerium JWT verification protects your app from misconfiguration. It’s an additional check to ensure that your users CANNOT directly access the app you are trying to protect without having gone through pomerium. For example, imagine that an upstream service was accidentally exposed to the public internet which did not have authentication. The JWT check would reject that.
Do we need to actually verify this jwt token assertion in upstream services
It’s not mandatory, but it adds an additional level of security that prevents misconfiguration of services in your infrastructure.We have an SDK to make the verification easier (go/js). Our “verify” app is built using the go sdk, if you are looking for an example. We also have javascript examples.Alternatively, you can do the verification using a side-car setup, we have an example sidecar verification using envoy.
Does that mean there are risks if we actually forward access token and/or idToken to internal upstream services? What are the risks if we do that?
Yes. If an attacker is able to compromise one of your upstream services, they will also be able to use that access token. An attacker could use that access token to make additional API calls which could further leak information (and depending on the assigned scopes) be used to mutate, or even control their account.You are effectively shrinking the attack surface of your stack by preventing the accesstoken being sent to the upstream service. This is especially useful if you have a fleet of legacy applications that may be out of date, or may not have implemented oauth2/oidc/sso correctly. Again, this depends a great deal on what scopes are assigned to the oauth2 app.ID tokens tend are less sensitive so long as you are comfortable with the data being to the upstream application. They typically do not contain secrets but user data. Indeed, Pomerium’s assertion header contains most of the same fields.hope that helps
@CMo
we’ll try and update our documentation to make it clearer! For questions like these, do you mind making a thread on our Discuss to ensure other users who may be confused can also benefit from searchable threads? Thanks!
We have a blog post too - hope this helps!
1 Like
