Secret Management for JWT Secure APIs

[Davinchi104]

I am working on the creation of Secure APIs, I followed the documentation given by LANSA, but I don't now how to manage the "Secrets" for generating the signature and the validation for the JWT tokens, currently the secret is writen on the program, ¿ Is there any sugestion for saving this secrets and improve the security of the services ?.

Share with you the code for generating the JWT Token

Code: Select all

If (#jwt.Claims<"Username"> *IsNot *Null)

#JsonBody.Username := #jwt.Claims<"Username">.AsString
#JsonBody.AccessToken := #HSnnn.IssueToken( #jwt "SECRET" )

#Operation.Response.SetContentJson( #JsonBody )
Endif

And also the code for validating the JWT Token

Code: Select all

If (#HSnnn.TryVerifyToken( #Security.HttpBearer.Value, #jwt, "SECRET" ))

If (#jwt.Claims<"Username"> *IsNot *Null)

#Verified := true
#FZUsuario := #jwt.Claims<"Username">.AsString
Endif

Endif

I have this routines in the same server module asociated to an API, all was generated automatically for LANSA API template

[Catt]

You might want to consider soft coding the secret and having it stored in an encrypted table. Then you can retrieve it using a fetch from the table.

[Dino]

Soft coding it in encrypted in a table also gives you the opportunity to change it periodically.

You can have one server module dedicated to generate the token and process those request. So the other server modules just verify it.

[Speedlime]

If you are running on a iSeries, you can use a DTAARA on the server to store it.
Just retrieve from there using BIF.

[Davinchi104]

Soft coding it in encrypted in a table also gives you the opportunity to change it periodically.

You can have one server module dedicated to generate the token and process those request. So the other server modules just verify it.

Hi Dino, Do you know If there's a documention reference for following this strategy ? I can't find the documentation for creating the encrypted Table