Description
With KNOX-2554, we now have the ability to store passcode tokens in relational databases. However, it indicates poor security practice if sensitive data is stored in plain text format. Since the token_id JWT claim can be used as a passcode, we need to make sure it's saved in a hashed format. To be able to do this, the following is going to be implemented:
- add a new column called id which will serve as the primary key of the KNOX_TOKENS table (this is also going to be a UUID)
- keep the current token_id column as is, and store the token.id claim in a hashed form in this column
By default, HS256 is going to be used as a hash algorithm, but end-users can configure it via the gateway.database.hash.alg gateway level configuration. A new pre-defined alias name is to be introduced too: gateway_database_hash_key. End-users must save the desired key using this alias if they use the new JDBCTokenStateService as the token management backend. Please note that key size it's very important for hash-based algorithms so using the master secret is not an option here.
The token verification logic has to be changed too (need to hash token.id before getting expiration from the database).
Attachments
Issue Links
- Dependency
-
KNOX-2581 Secure token passcode in token state
- Open
- links to