When stateless authentication tokens (e.g., JSON Web Tokens [JWT]) are used by implementing shared libraries associated with a microservice, security precautions must be observed.
The API must configure tokens for stateless authentication to ensure secure validation, prevent unauthorized access, and maintain integrity without relying on server-side sessions.
Check
Verify the API configures tokens with the appropriate security settings, when stateless authentication tokens are used.
1. The token expiry times must be as short as possible since they determine the duration of the session and an active session cannot be revoked.
If an expiration time is not configured in accordance with organizational defined limits, this is a finding.
2. The token secret key must not be a part of the library code; it must be a dynamic variable represented by an environmental variable or specified in an environment data file.
Check if the token secret is included in requests that originate from the library. If a token secret key is part of library code, this is a finding.
3. The key value must be stored in a data vault solution. Check application configuration files. Check environment variables referencing vault storage.
If a key value is not stored in a data vault solution, this is a finding.
Fix
Build or configure tokens for stateless authentication to ensure secure validation, prevent unauthorized access, and maintain integrity without relying on server-side sessions.
1. Configure expiration time in accordance with organizational defined limits.
2. Configure the token secret key to be a dynamic variable represented by an environmental variable or specified in an environment data file.