The API must generate access tokens in accordance with organization-defined identification and authentication policy.

STIG ID: SRG-APP-001005-API-001695  |  SRG: SRG-APP-001005 |  Severity: medium |  CCI: CCI-005164,CCI-000366 |  Vulnerability Id: V-274847

Vulnerability Discussion

An API must generate access tokens to securely manage authentication and authorization directly within the application. Access tokens, such as JWTs or opaque tokens, serve as verifiable credentials that clients present when accessing protected resources.

Without an API gateway to handle token issuance and validation, the API itself becomes responsible for ensuring only authenticated and authorized users can interact with it. By generating access tokens, the API enables secure, stateless sessions, simplifies permission checks, and reduces the need to validate user credentials on every request. This is essential for protecting sensitive data, enforcing access controls, and enabling scalable, secure communication in distributed systems.

Check

Review the organization's identification and authentication policy to understand requirements for access token generation, including allowed token types, token claims, encryption/signature requirements, and conditions under which tokens may be issued.

Examine the API or authentication server code/configuration responsible for token issuance. Verify it enforces authentication of clients or users before issuing a token and that it includes required attributes (e.g., subject ID, roles, scopes) based on the policy.

Generate tokens using valid authentication requests and inspect their structure and contents. Confirm the issued tokens include the proper claims, are correctly signed/encrypted, and match the formatting (e.g., JWT) required by policy.

Attempt to obtain tokens under various conditions, including successful and failed login attempts, and with different scopes or resource requests. Confirm tokens are only issued in compliance with authentication success and policy-based restrictions.

If the API uses an identity provider (IdP) or API Gateway for token generation, review those configurations to verify they enforce organizational policies during token issuance.

If the API does not generate access tokens in accordance with organization-defined identification and authentication policy, this is a finding.

Fix

Build or configure the API to generate access tokens in accordance with organization-defined identification and authentication policy.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.