Token and password encryption
Context
We need to store Hybris access token and autogenerated password in Auth0 user metadata in order to be able to maintain the customer access to Hybris.
That data needs to be encrypted for obvious security reasons.
Decision
- Encrypt Hybris token once it is received in Auth0 login migration action
- Encrypt Hybris token and autogenerated password in Auth0 register action
- Data to be decrypted in Hybris when it receives Auth0 token
How it works
aes-256-cbc encryption is used in both Auth0 actions and Hybris. This encryption method encrypts the data with a key and an initialization vector.
The key should be shared and stored privately both in Hybris and Auth0. The initialization vector should be generated randomly on each encryption and can be stored along with encrypted data. It can be public.
Data then can be decrypted using both key and initialization vector.
Encrypted Hybris tokens and autogenerated password will be saved on user metadata, initialization vector used to encrypt the data should also be saved in user metadata in order to be able to decrypt it.
Consequences and limitations
- If we loose encryption key or some initialization vector in some way, we will loose customer Hybris Tokens and the ability to access Hybris.
- As said in Storing tokens in metadata saving many data in user metadata can impact performance, encrypting data in
aes-256-cbcrequires to save also the initialization vector.aes-256-ecbdoesn't require initialization vector but is less secure and not recommended. - Doing encryption in Actions can also impact performance Auth0 actions