Skip to content
This repository has been archived by the owner on Dec 12, 2024. It is now read-only.

[http-api] request tokens should be JWTs #210

Closed
3 tasks
mistermoe opened this issue Dec 20, 2023 · 3 comments · Fixed by #216 or TBD54566975/tbdex-kt#125
Closed
3 tasks

[http-api] request tokens should be JWTs #210

mistermoe opened this issue Dec 20, 2023 · 3 comments · Fixed by #216 or TBD54566975/tbdex-kt#125
Assignees
@mistermoe @jiyoonie9
Labels
tbdex 1.0
Milestone
1.0

Comments

@mistermoe
Copy link
Member

mistermoe commented Dec 20, 2023
edited
Loading

currently, the request token used to authenticate requests like GET /exchanges is a JWS that include:

Header:

  • alg
  • kid

Payload:

  • timestamp

I'm proposing that we shift to using JWTs instead.

the JWT should contain the following:

Header:

  • typ: JWT.
    • we have all sorts of signatures and tokens flying around. setting typ to JWT as recommended by the JWT spec to provide a means to disambiguate
  • kid: fully qualified verificationMethod ID. used to locate the verification method in a DID Document that should be used to verify the JWT signature
  • alg: cryptographic algorithm used to compute the JWT signature

Payload:

  • aud: the intended PFI's DID
    • In our existing setup, if a request token is compromised, it could potentially be misused with any PFI. By incorporating the aud claim, we can limit the risk to just one PFI, thereby reducing the surface area for misuse.
  • iss: the requester's DID
    • including to be informative. this is technically duplicative as the kid also includes the requester's DID
  • exp: expiration timestamp
    • limits the amount of time a compromised request token can be used. our current request tokens have no expiration. if one were compromised they could be used indefinitely. including exp limits the duration of the attack vector
  • iat: when the JWT was created
    • including to be informative
  • jti: used as a nonce to prevent replay attacks.
    • spec text should include more detail around exactly how to prevent replay attacks

TODOs:
PR to address this issue should:

  • update relevant spec text
  • re-generate test vectors.
  • publish draft PR and await PRs for JS and KT
@mistermoe
Copy link
Member Author

cc: @jiyoontbd

This was referenced Dec 20, 2023
Closed
Closed
Closed
@jiyoonie9
Copy link
Contributor

the todos here also mention adding nbf which is another timestamp. do we need this field in addition to jti (since that's essentially a timestamp as well)?

@mistermoe
Copy link
Member Author

Good question @jiyoontbd! Can't think of a reason to include nbf. Down to leave it out if you are. Can't really see scenarios where people are generating and storing request tokens ahead of time that shouldn't be used until a specified time

@jiyoonie9 jiyoonie9 mentioned this issue Dec 22, 2023
Merged
@mistermoe mistermoe moved this to In Progress in SDK Development Jan 8, 2024
@mistermoe mistermoe added this to the 1.0 milestone Jan 8, 2024
This was linked to pull requests Jan 11, 2024
Refactor request token to be a JWT TBD54566975/tbdex-kt#125
Merged
[http-client] Refactor request token to be a JWT TBD54566975/tbdex-js#126
Closed
@github-project-automation github-project-automation bot moved this from In Progress to Done in SDK Development Jan 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mistermoe mistermoe

@jiyoonie9 jiyoonie9

Labels
tbdex 1.0
Projects
SDK Development
Status: Done
Milestone
1.0
2 participants
@mistermoe @jiyoonie9