Visual LANSA Forum

Community Forum for Visual LANSA
https://forum.developer.lansa.com/

Secret Management for JWT Secure APIs

https://forum.developer.lansa.com/viewtopic.php?t=2923

Page 1 of 1

Secret Management for JWT Secure APIs

Posted: Fri Sep 13, 2024 7:11 am
by Davinchi104
I am working on the creation of Secure APIs, I followed the documentation given by LANSA, but I don't now how to manage the "Secrets" for generating the signature and the validation for the JWT tokens, currently the secret is writen on the program, ¿ Is there any sugestion for saving this secrets and improve the security of the services ?.

Share with you the code for generating the JWT Token

Code: Select all

If (#jwt.Claims<"Username"> *IsNot *Null)

#JsonBody.Username := #jwt.Claims<"Username">.AsString
#JsonBody.AccessToken := #HSnnn.IssueToken( #jwt "SECRET" )

#Operation.Response.SetContentJson( #JsonBody )
Endif
And also the code for validating the JWT Token

Code: Select all

If (#HSnnn.TryVerifyToken( #Security.HttpBearer.Value, #jwt, "SECRET" ))

If (#jwt.Claims<"Username"> *IsNot *Null)

#Verified := true
#FZUsuario := #jwt.Claims<"Username">.AsString
Endif

Endif
I have this routines in the same server module asociated to an API, all was generated automatically for LANSA API template

Re: Secret Management for JWT Secure APIs

Posted: Sat Sep 14, 2024 12:47 am
by Catt
You might want to consider soft coding the secret and having it stored in an encrypted table. Then you can retrieve it using a fetch from the table.

Re: Secret Management for JWT Secure APIs

Posted: Sat Sep 14, 2024 11:30 pm
by Dino
Soft coding it in encrypted in a table also gives you the opportunity to change it periodically.

You can have one server module dedicated to generate the token and process those request. So the other server modules just verify it.

Re: Secret Management for JWT Secure APIs

Posted: Mon Sep 16, 2024 6:51 pm
by Speedlime
If you are running on a iSeries, you can use a DTAARA on the server to store it.
Just retrieve from there using BIF.

Re: Secret Management for JWT Secure APIs

Posted: Tue Sep 17, 2024 1:10 am
by Davinchi104
Dino wrote: Sat Sep 14, 2024 11:30 pm Soft coding it in encrypted in a table also gives you the opportunity to change it periodically.

You can have one server module dedicated to generate the token and process those request. So the other server modules just verify it.
Hi Dino, Do you know If there's a documention reference for following this strategy ? I can't find the documentation for creating the encrypted Table
All times are UTC+11:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited