Skip to content

Encryption for Access & ID tokens used in data.all application #1862

New issue
New issue
Open
Open
Encryption for Access & ID tokens used in data.all application#1862
@TejasRGitHub

Description

@TejasRGitHub
TejasRGitHub
opened on Sep 18, 2025

Data.all ( v2.7.0 ) has 2 options for issuing authentication token - ID token & Access Tokens - using cognito and any OIDC ( e.g. Okta, etc ). In both the forms of authentication, the tokens are issues by the identity provider directly.

Please refer to this issue - #872

These tokens which are issued by the identity provider are not encrypted and also contains some personal information. Thus this can be stolen easily by an attacker with XSS attack.

Inorder to solve this issue, the tokens sent to the frontend browser should be encrypted before they are set into the local storage. Since the issuers of the tokens cannot encrypt these tokens, there needs a middleware service which can fetch these tokens and encrypt them.

On a high-level, the user authentication flow will look like,

  1. User goes to the browser and clicks on the login button
  2. Browser sends the request to the OIDC endpoint which does the 2FA
  3. Once the browser exchanges the code challenge with the OIDC endpoint, the OIDC endpoint returns a code UUID string
  4. The react code should call another middleware with this code. The middleware in this case can be an AWS lambda or any other server. This middleware will be responsible for authenticating with the OIDC endpoint ( /token ) and receive the token
  5. Then the middleware will have to encrypt the token with a secret. This secret can be stored in the secrets manager
  6. Once the token is encrypted, the lambda will return back the tokens to the frontend which will then store the tokens in the local storage.
  7. Now these token will be set in the useAuth, useToken, useGroups, etc react hooks so that they can be used when calling any graphQL APIs.
  8. Since the tokens are encrypted, the custom authorizer will have to be modified to decrypt the tokens. Using symmetric encryption, the tokens will be decrypted with the secrets available in the AWS secrets manager. The custom authorizer lambda will have access to decrypt the tokens.

Concerns

  1. Would the performance drop in decrypting the tokens each time it is send to the API gateway -> custom authorizer, etc

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions