|
|
|
|
|
|
by GauntletWizard
2019 days ago
|
|
|
I'd like to ask everyone here who's familiar with SAML to take a look at SPIFFE[1], which underlies Istio. I'm biased in this regard, but I view SPIFFE's inclusion of JWT Tokens as an authentication method as fundamentally flawed - By allowing bearer tokens, you are no longer verifying identity, but passing identity around. JWT has also been susceptible in the past[2] to the same kinds of attacks here - Poorly defined verification semantics. I suspect that buried in the semantics around SPIFFE's SPIRE Server and Agent are a number of vulnerabilities or other ways that trust doesn't mean quite what you think it means. I'd love for someone with interest to take a look. Besides the obvious downsides fundamental to Isitio's MITM Proxy architecture, I think there's more lurking on that edge. [1] https://spiffe.io/
[2] https://auth0.com/blog/critical-vulnerabilities-in-json-web-... |
|
|