Add token_prefixes #2845

ludydoo · 2021-11-09T05:19:22Z

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
This issue affects my Ory Cloud project.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Describe your problem

Hello there!

This is a feature request to enable adding prefixes to tokens that ory hydra generates, in order to distinguish the token type without having to call the introspection endpoint, and to keep access tokens opaque.

https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
https://api.slack.com/authentication/token-types
https://stripe.com/docs/api/authentication

Describe your ideal solution

An option in the configuration to specify the prefixes for each token type

token_prefixes:
  access_token:  acme:oac:
  id_token:      acme:oid:
  refresh_token: acme:orf:

Workarounds or alternatives

None that I could find, apart from modifying the source code

Version

Latest

Additional Context

The reason for this feature request is because we will need to generate other types of tokens than OAuth tokens. Our policy enforcement endpoint would need to verify the inbound request token.

For example, given these token types

oa: (oauth token issued by hydra)
or: (oauth refresh token issued by hydra)
oi: (oauth id token issued by hydra)
pat: (personal access token issued by my-pac-service)
mt: (machine token issued by my-admin-service)

The policy enforcement endpoint would need to distinguish which service to call for the token introspection.

If the tokens were prefixed, it would be very easy to call the appropriate service to verify the token. That could even be done eg. Envoy ext_authz, with a route matcher.

Sample logic

func VerifyAuthHeader(authorizationHeader string){
  if strings.HasPrefix(authorizationHeader, "Bearer oa:"){
    // call hydra admin token introspection 
  }
  if strings.HasPrefix(authorizationHeader, "Bearer pat:"){
    // call my-pac-service
  }
}
...

The text was updated successfully, but these errors were encountered:

aeneasr · 2021-11-09T07:36:38Z

Thank you for the idea! Please note that this will only work for opaque tokens, so when not using the JWT strategy. It will also not work for ID tokens!

But for refresh and access tokens this could work :)

See ory/hydra#2845

This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Closes #2845

This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845

aeneasr · 2022-06-17T17:57:53Z

done in v2

This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845

rdfirtal · 2022-11-03T13:47:55Z

Will token prefixes become configurable like OP suggests?

aeneasr · 2022-11-04T07:29:35Z

no!

NickUfer · 2023-07-16T12:06:13Z

What is the reason for not making these configurable except for everybody knowing ory hydra is used?

aeneasr · 2023-07-17T11:28:07Z

ory/fosite#733 (comment)

ludydoo added the feat New feature or request. label Nov 9, 2021

ludydoo changed the title ~~Add tokens.prefix option~~ Add token_prefixes Nov 9, 2021

aeneasr added this to the v2.0 milestone May 18, 2022

aeneasr added a commit to ory/fosite that referenced this issue Jun 17, 2022

feat: add ory_at|pt|ac prefixes to HMAC tokens

b9bc292

See ory/hydra#2845

aeneasr mentioned this issue Jun 17, 2022

feat: add ory_at|pt|ac prefixes to HMAC tokens ory/fosite#675

Merged

6 tasks

aeneasr added a commit to ory/fosite that referenced this issue Jun 17, 2022

feat: add ory_at|pt|ac prefixes to HMAC tokens

d52e8ec

See ory/hydra#2845

aeneasr added a commit to ory/fosite that referenced this issue Jun 17, 2022

feat: add ory_at|pt|ac prefixes to HMAC tokens

b652335

See ory/hydra#2845

aeneasr mentioned this issue Jun 17, 2022

feat: add token prefixes #3160

Merged

7 tasks

aeneasr closed this as completed Jun 17, 2022

mattslocum mentioned this issue Jan 4, 2023

feat: customizable token prefix ory/fosite#733

Open

6 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add token_prefixes #2845

Add token_prefixes #2845

ludydoo commented Nov 9, 2021

aeneasr commented Nov 9, 2021 •

edited

aeneasr commented Jun 17, 2022

rdfirtal commented Nov 3, 2022

aeneasr commented Nov 4, 2022

NickUfer commented Jul 16, 2023

aeneasr commented Jul 17, 2023

Add token_prefixes #2845

Add token_prefixes #2845

Comments

ludydoo commented Nov 9, 2021

Preflight checklist

Describe your problem

Describe your ideal solution

Workarounds or alternatives

Version

Additional Context

aeneasr commented Nov 9, 2021 • edited

aeneasr commented Jun 17, 2022

rdfirtal commented Nov 3, 2022

aeneasr commented Nov 4, 2022

NickUfer commented Jul 16, 2023

aeneasr commented Jul 17, 2023

aeneasr commented Nov 9, 2021 •

edited