cookie with JWT exposes user identifying information after auth #101
Description
The cookie with the JWT contains the user identifying attributes that was passed through from SAML and is easily base64 decoded.
Although efficient and stateless, from a security standpoint, it's a point of information disclosure.
I propose some sort of encode/decode using the codec. I have a JWE implementation in a fork I'll reference. It's coded to default to JWE, but you can make it optional.
kennethklee/saml-auth-proxy@de409ba (branch feat/jwt-encryption)
I can do a PR if you'd like. Nevermind, created PR and referenced