Split Token Flow: A solution to the security problem of the JWT
OAuth2, OIDC, and their foundation, the JWT, has been an industry standard for many years, with no sign of slowing down. On the contrary, the OAuth RFC continues to be iteratively improved, aligning with FHIR and Open Banking principles.
All that to say, we should expect the OAuth flow to continue to reign supreme.
There are two types of access tokens in the OAuth flow, opaque and JWT (JWS more precisely). The problem with the JWT is the inherent leakiness. There is a massive debate amongst the community…
Let’s say you fork a public open source repo to your laptop, then decide you’re ready to publish it to your own repository.
So if I clone a public repo:
➜ git clone https://github.com/sedkis/auth-plugin
➜ git remote -v
origin firstname.lastname@example.org:sedkis/auth-plugin.git (fetch)
origin email@example.com:sedkis/auth-plugin.git (push)
It’s pointing at the old repo. If I’m ready to publish this repo to another host, then first I create my new repo on GitHub (or wherever), then change git origin to it and push:
➜ git remote rm origin
➜ git remote add origin firstname.lastname@example.org:new-origin/auth-plugin.git
➜ git remote -v
origin email@example.com:your-repo/auth-plugin.git (fetch)
origin firstname.lastname@example.org:your-repo/auth-plugin.git (push)
➜ git push
Viola! published code to my own repo.
Having a really efficient CMD line is awesome. It can save you a lot of time. It’s good to take the time to set up a terminal that is intuitive and customized to you and your workflow.
With the right software, you can do things like autocomplete your GIT commands, Docker commands and more. This alone is worth it. But also, you get DARK MODE!
Here’s an easy way to keep your Docker secrets in your version control, without having to create multiple Dockerfiles for each environment.
Before you continue, I assume you have a decent understanding of:
We’ll create a Dockerfile with a generic secret name, and then we can map an environment specific secret to the generic secret name our Docker container is expecting.
First let’s go ahead and create the docker secrets in our environment:
➜ echo "devpwd" | docker secret create my-secret-DEV -
➜ echo "prdpwd" | docker secret create my-secret-PRD -
➜ docker secret ls