0

Say I have a gateway which provides authorization mechanisms by validating a JWT, behind an api-gateway there are different micro-services but only the gateway port is public. As a software designer you decide to make all micro services unaware of authorization-related operations to remove code duplication and minimize the affected components when a security related change is needed. That is, all of the micro services would not contain any validation of the JWT.

How is it possible to prevent a horizontal privilege escalation when there's a valid JWT but the attempted operation does not pertain to the current user? such as updating the user profile of a different person, keep in mind the api should not require to read the and compare the subject or issuer of a JWT to the user profile being updated, Is it even possible to achieve this?

Daniel Arechiga
  • 101
  • 1
  • Why shouldn't the API check the claims against the JWT to make sure the user is authorized to make the corresponding updates? – Dan Landberg Jul 20 '20 at 14:11
  • "to remove code duplication and minimize the affected components when a security related change is needed". it's not like it shouldn't I'm just trying to find an alternative if possible – Daniel Arechiga Jul 21 '20 at 00:46
  • Ok. Given that scenario, I'm not aware of an alternatives. Something is going to need to know that the specified user is not allowed to act on the specified resource. I think it's most cleanly handled in claims. – Dan Landberg Jul 22 '20 at 12:50

0 Answers0