generated from cuioss/cui-java-module-template
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
215 additions
and
0 deletions.
There are no files selected for viewing
215 changes: 215 additions & 0 deletions
215
modules/authentication/portal-authentication-token/doc/Threat-Model.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,215 @@ | ||
| = Portal Authentication Token Module - Threat Model | ||
| :toc: | ||
| :toclevels: 3 | ||
|
|
||
| Generated by https://codeium.com/windsurf | ||
|
|
||
| == Overview | ||
|
|
||
| The Portal Authentication Token module provides functionality for handling JWT tokens in a portal environment, primarily focusing on token parsing, validation, and claim extraction. The module is built on top of SmallRye JWT and is designed to work with OAuth2/OpenID Connect providers, with specific testing against Keycloak. | ||
|
|
||
| == System Context | ||
|
|
||
| The module operates within the following context: | ||
|
|
||
| * Processes JWT tokens from OAuth2/OpenID Connect providers | ||
| * Validates token signatures using JWKS (JSON Web Key Sets) | ||
| * Extracts and processes token claims | ||
| * Handles multiple token types (Access, ID, Refresh) | ||
| * Supports multiple issuers | ||
|
|
||
| == STRIDE Threat Analysis | ||
|
|
||
| === Spoofing | ||
|
|
||
| ==== Threats | ||
| * S1: Attacker submits forged JWT tokens | ||
| * S2: Attacker impersonates legitimate JWKS endpoint | ||
| * S3: Attacker reuses expired or revoked tokens | ||
|
|
||
| ==== Current Mitigations | ||
| * Using SmallRye JWT for cryptographic operations | ||
| * JWKS endpoint validation | ||
| * Token signature verification | ||
| * Expiration time validation | ||
|
|
||
| ==== Recommendations | ||
| * Implement token blacklisting for revoked tokens | ||
| * Add rate limiting for token validation attempts | ||
| * Implement strict issuer validation | ||
| * Add additional token metadata validation (e.g., `nbf`, `aud` claims) | ||
|
|
||
| === Tampering | ||
|
|
||
| ==== Threats | ||
| * T1: Modification of token content during transmission | ||
| * T2: Tampering with cached JWKS data | ||
| * T3: Manipulation of token parsing process | ||
|
|
||
| ==== Current Mitigations | ||
| * Signature verification using public keys | ||
| * Size limits on tokens and payloads | ||
| * Immutable token objects | ||
| * Type-safe claim extraction | ||
|
|
||
| ==== Recommendations | ||
| * Implement integrity checks for cached JWKS data | ||
| * Add logging for signature verification failures | ||
| * Implement strict content-type validation | ||
| * Add checksums for cached data | ||
|
|
||
| === Repudiation | ||
|
|
||
| ==== Threats | ||
| * R1: Denial of token usage | ||
| * R2: Unauthorized token refresh attempts | ||
| * R3: Missing audit trail for token operations | ||
|
|
||
| ==== Current Mitigations | ||
| * Logging of token parsing attempts | ||
| * Logging of validation failures | ||
| * Token ID tracking | ||
|
|
||
| ==== Recommendations | ||
| * Enhance logging with correlation IDs | ||
| * Add structured logging for security events | ||
| * Implement token usage tracking | ||
| * Add audit logs for sensitive operations | ||
|
|
||
| === Information Disclosure | ||
|
|
||
| ==== Threats | ||
| * I1: Exposure of sensitive claims | ||
| * I2: Leakage of token data in logs | ||
| * I3: Exposure of JWKS cache contents | ||
| * I4: Debug information exposure | ||
|
|
||
| ==== Current Mitigations | ||
| * Limited logging of token content | ||
| * Size limits to prevent memory dumps | ||
| * Secure error handling | ||
| * No sensitive data in toString() methods | ||
|
|
||
| ==== Recommendations | ||
| * Implement claim sanitization in logs | ||
| * Add data masking for sensitive claims | ||
| * Implement secure key storage for JWKS | ||
| * Add security headers for external requests | ||
|
|
||
| === Denial of Service | ||
|
|
||
| ==== Threats | ||
| * D1: JWKS endpoint flooding | ||
| * D2: Large token processing | ||
| * D3: Complex token structures | ||
| * D4: Resource exhaustion through parallel requests | ||
|
|
||
| ==== Current Mitigations | ||
| * Token size limits (8KB) | ||
| * Payload size limits (16KB) | ||
| * JWKS refresh interval controls | ||
| * Null checks and validation | ||
|
|
||
| ==== Recommendations | ||
| * Implement request throttling | ||
| * Add circuit breakers for external calls | ||
| * Implement resource pools | ||
| * Add timeout mechanisms | ||
|
|
||
| === Elevation of Privilege | ||
|
|
||
| ==== Threats | ||
| * E1: Token scope manipulation | ||
| * E2: Role/permission injection | ||
| * E3: Privilege escalation through claim manipulation | ||
| * E4: Bypass of token validation | ||
|
|
||
| ==== Current Mitigations | ||
| * Strict claim type checking | ||
| * Signature validation | ||
| * Non-nullable constraints | ||
| * Type-safe claim extraction | ||
|
|
||
| ==== Recommendations | ||
| * Implement role hierarchy validation | ||
| * Add scope validation rules | ||
| * Implement strict claim value validation | ||
| * Add permission boundary checks | ||
|
|
||
| == Critical Security Controls | ||
|
|
||
| === Input Validation | ||
| * Token format validation | ||
| * Size limits | ||
| * Claim type checking | ||
| * Issuer validation | ||
|
|
||
| === Output Encoding | ||
| * Safe handling of token data in logs | ||
| * Secure error messages | ||
| * Claim value sanitization | ||
|
|
||
| === Authentication | ||
| * Signature verification | ||
| * Issuer validation | ||
| * Token expiration checking | ||
|
|
||
| === Session Management | ||
| * Token lifecycle handling | ||
| * Refresh token security | ||
| * Token state management | ||
|
|
||
| === Access Control | ||
| * Role-based access control support | ||
| * Scope validation | ||
| * Permission checking | ||
|
|
||
| === Cryptographic Practices | ||
| * Use of standard JWT libraries | ||
| * JWKS handling | ||
| * Key rotation support | ||
|
|
||
| === Error Handling | ||
| * Secure error messages | ||
| * Logging best practices | ||
| * Exception handling | ||
|
|
||
| === Logging | ||
| * Security event logging | ||
| * Audit logging | ||
| * Error logging | ||
|
|
||
| == Security Configuration | ||
|
|
||
| === Required Settings | ||
| * JWKS endpoint URL | ||
| * Allowed issuers | ||
| * Token validation rules | ||
| * TLS configuration | ||
|
|
||
| === Optional Settings | ||
| * JWKS refresh interval | ||
| * Token size limits | ||
| * Logging levels | ||
| * Cache configuration | ||
|
|
||
| == Implementation Guidelines | ||
|
|
||
| === Secure Coding Practices | ||
| * Input validation for all token data | ||
| * Type-safe claim handling | ||
| * Immutable objects where possible | ||
| * Secure error handling | ||
|
|
||
| === Testing Requirements | ||
| * Security test cases | ||
| * Boundary testing | ||
| * Error condition testing | ||
| * Performance testing | ||
|
|
||
| == References | ||
|
|
||
| * link:https://tools.ietf.org/html/rfc7519[JWT RFC 7519] | ||
| * link:https://tools.ietf.org/html/rfc7515[JWS RFC 7515] | ||
| * link:https://tools.ietf.org/html/rfc7517[JWK RFC 7517] | ||
| * link:https://openid.net/specs/openid-connect-core-1_0.html[OpenID Connect Core] |