Validating identity tokens

[bigblind]

The documentation for verifying an ID token using some other JWT library tells you to verify the kid, aud, and iss fields. All of these are fairly static, making this check vulnerable to replay attacks. I would suggest adding 2 checks:

1. Check the exp claim to make sure the token hasn't expired
2. use the iat field as an identifier to check for duplicates. I can't imagine two id tokens for the same user issued in the same second could be useful. So you can chack that only one ID token per user with a given iat value can be used.

Best regards,

Frederik

[Jacob Wenger]

Hey Frederik,

Thanks for the feedback! You are very correct that our documentation should specify that you should ensure the token is not expired. I'll get that added to the docs immediately. I'll also add a note that the issued-at time should be in the past (just as a sanity check).

Developers can choose to allow or disallow multiple tokens generated at the same iat. I don't see a particular security issue there, so I think I'm going to leave it out of the docs for simplicity sake. Feel free to do this on your backend though.

Thanks again for calling this out!

Cheers,

Jacob

--
You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/91fe58d9-d974-4502-bc37-6c1ad18357de%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[bigblind]

Hi Jacob,

Thank you for your reply. The security issue I see is a replay attack. If someone captured the ID token that has already been used, and still send it to the server to impersonate the user. On my own server, I would allow a token for a given user, issued at a certain time only once. The token would be exchanged for a http-only cookie, which is less prone to getting captured, since the connection is secure. But yeah, this might not be necessary for every application.

Best regards,

Frederik.

[Jacob Wenger]

Fair point. I don't think we want to add this level of detail to the docs because I think it will confuse the average developer more than help them and there are some use cases where you may want to send the same JWT multiple times to your backend before it expires. But for your use case, it seems like a valid thing to do. Thanks again for calling these out. Note that the docs have already been updated:

Cheers,

​Jacob

--

You received this message because you are subscribed to the Google Groups "Firebase Google Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firebase-tal...@googlegroups.com.
To post to this group, send email to fireba...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/firebase-talk/41e3d7db-8a68-4e31-968b-d0c47be631da%40googlegroups.com.