Storing Hybris Tokens in Auth0 App Metadata
Overview
Before looking at the proposal for token management via aws we have a proposal to keep tokens within the Auth0 system.
Proposal
The primary thinking here is we remove the need to develop extra steps to set and get tokens from the middleware. Auth0 describe app metadata as Access Information which in this case the token is.
App metadata stores information such as permissions, Auth0 plan, and external IDs that can impact user access to features. This data cannot be edited by users and there are size limits and storage restrictions for what can be stored in this field.
Our proposal is to use Crypto to ciper and set Hybris tokens in app_metadata and decipher after transferring to Hybris using a shared secret. Secrets should be generated on a tenant / environment basis and not shared across tenants.
Size limits
- The
app_metadataanduser_metadatafields have a combined maximum limit of 16 MB total per user. There is no limit to the number of properties that may be stored in these fields. - When you set the
user_metadatafield using the Auth0 Authentication API Signup endpoint, you can include a maximum of 10 string fields whose values do not exceed 500 characters each. For an example of working with metadata during a custom signup process, read Custom Signup. - The
client_metadatafield can have a maximum of 10 keys. Its keys and values have a maximum length of 255 characters each and cannot contain UTF-8 special characters.
Storage restrictions
The app_metadata field must not contain any of these properties:
- __tenant
- _id
- blocked
- clientID
- created_at
- email_verified
- globalClientID
- global_client_id
- identities
- lastIP
- lastLogin
- loginsCount
- metadatamultifactor_last_modified
- multifactor
- updated_at
- user_id
Advantages
- Tokens are kept close to the auth infrastructure. This means less round trips to store, cipher and decipher hybris tokens.
- This is a simplier implementation and requires no extra middleware development.
Disadvantages
- We were advised by Auth0 to not store hybris tokens in metadata. Their reasonings are as follows:
- Tokens are vulnerable to man-in-the-middle attacks because it is available in the front-channel. This would be true if the token were being stored in plain text. This is however mitigated by using crypto to cipher the token.
- Bloat to the user profile. Again you can store up to 16mb alone in metadata.
- Bloat to the jwt. There is no upper limit in the spec for JWT. More information can be found in the RFC7519 spec.
Considerations
- Avoid putting unused claims into a JWT. While there is no limit to the size of a JWT, in general the larger they are, the more CPU is required to sign and verify them and the more time it takes to transport them. Benchmark expected JWTs to have an understanding of the performance characteristics.