-
-
Notifications
You must be signed in to change notification settings - Fork 999
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Keep JWT tokens in the table instead of database settings (an idea) #809
Comments
This also kind of relates to #505, we could add an option to postgrest to use tokens from specific table for signature checking. |
@spinus This makes sense. I suggest the following structure for the table:
|
Hi @eric-brechemier , good suggestion. To discuss, as we talking about SQL table, let's express it in standard SQL... I also imagine the (optional) RefreshToken as in my issue#505 comment, so something like CREATE TABLE jwt_private_keys (
user_role_id bigint NOT NULL PRIMARY KEY, --- need REFERENCES to some user-role table
token_valid_from TIMESTAMPTZ NOT NULL DEFAULT now(),
token_valid_until TIMESTAMPTZ NOT NULL DEFAULT now()+interval '3 weeks',
rfshtoken_valid_until TIMESTAMPTZ DEFAULT now()+interval '1 year',
jwt_private_key BYTEA,
CHECK(rfshtoken_valid_until>token_valid_until),
CHECK(token_valid_until>token_valid_from)
) ... make sense for you? In the "standard RefreshToken approach" login creates the pair token-refreshToken. In this illustration, after 1 year the user need a new login... Each "RefreshToken event" updates the PS: remember the refresh token objective. |
@ppKrauss There is a confusion in your suggestion between tokens (1 per user) and keys/secrets (1 per server, currently). There is no need to store refresh tokens if they are JWT as well. Only the secret is needed to check that the refresh token is legit.
I am all in favor of using a common vocabulary, but let's not replace the problem to match the solution. The original issue was JWT secrets getting compromised, not JWT tokens. |
Hi @eric-brechemier, sorry, let's repair... Is not evident for me how the ACL is implement in PostgREST... Yes, ideal is "1 per user", but the simplest is to do separated login for each application (each id in a user-role table)... Show the modifications that I change the SQL table declaration of my post. |
@ppKrauss let's take an example: In 2016, Alice Corp launches the service
In 2017, Alice Corp is bought by Charlie Corp. They decide to migrate to a new secret and plan to upgrade all users to the new secret by 2018:
When the user bob42 connects to |
Sorry all, English is not my first language... Before to continue, a jargon question: Rule (as RFC7519 or Auth0) or Role (as PostgREST Guide)? ... Or always "JWT rule == Database role" in the PostgREST discussions? |
@ppKrauss the database role is stored in a JWT claim.
|
To recap, we want to keep the JWT server secret out of a GUC and move it into a table with proper permissions. That makes sense. This is just a change to the way people write their stored procs and other SQL, right, no anticipated changes necessary for the postgrest binary? |
@begriffs, depends. If the feature that postgrest is using secret from a table is desired (for example you dynamically change secret, you want to sign tokens with new key only, but you still want to support tokens signed by old one), I think postgrest would need to support reading secrets from table. |
I agreee @begriffs, and think that the best is to use a table and the pgcrypto extension. |
I made a docs issue for this approach, so closing the issue in this repo. |
good stuff, thanks |
pgCRON - funtion to keep tract of expiring jwt |
I was struggling with current_setting and
alter database <x> set <key> = <value>
(I needed to restart postgrest in order to work) and went to #PostgreSQL irc channel to ask about that.After I asked the question
ningu
andZr40
pointed me out that database settings can be read by anyone. It's ok if postgrest is the only client, but you never know :-)Zr40 suggested that probably better solution is to keep JWT tokens in separate table which can be nicely secured (and postgrest is using this feature quite a lot, together with schemas).
What do you think about refactoring examples to use this kind of approach rather than database setting which can be read by anyone?
The text was updated successfully, but these errors were encountered: