The API must issue access tokens in accordance with organization-defined identification and authentication policy.

STIG ID: SRG-APP-001010-API-001700  |  SRG: SRG-APP-001010 |  Severity: medium |  CCI: CCI-005165,CCI-000366 |  Vulnerability Id: V-274848

Vulnerability Discussion

An API must issue access tokens to independently handle authentication and authorization for securing access to its resources. By issuing access tokens, the API ensures only authenticated users with valid permissions can interact with the system.

Without an API gateway to centralize this process, the API itself must authenticate users, generate tokens (like JWTs), and validate those tokens on each request. This approach enables the API to maintain control over access policies, provides a stateless way of handling user sessions, and ensures sensitive data is protected by verifying the user's identity and access rights for every request. Issuing tokens directly also simplifies integration with other services and supports scalable, distributed architectures.

Check

Review the code, configuration or identity provider responsible for issuing tokens. Verify it enforces the required authentication procedures and that tokens are not issued without proper user or client validation.

Perform a valid authentication flow to receive an access token. Examine the token to ensure it includes required fields like sub (subject), aud (audience), exp (expiration), iat (issued at), and any scopes or roles defined by policy.

Attempt to obtain tokens using invalid credentials, insufficient authentication methods, or unauthorized client requests. Confirm the API does not issue access tokens in these cases, in alignment with the policy.

Check that the token is signed or encrypted using the approved cryptographic algorithms. Ensure keys are securely managed and that tokens cannot be tampered with.

Verify that the token's expiration time matches what the policy defines. Ensure short-lived tokens are used where required, especially for sensitive or high-risk data access.

Review API or identity provider documentation to confirm whether token issuance behavior aligns with organizational requirements.

If any misconfigurations are identified, this is a finding.

Fix

Build or configure the API to issue access tokens in accordance with organization-defined identification and authentication policy.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.