Application may use the fake JWT claim to do the authorization. An attacker can send two "X-Endpoint-API-UserInfo" headers, the second one with a fake JWT claim. But if there are two "X-Endpoint-API-UserInfo" headers from the client, ESPv1 only replaces the first one, the 2nd one will be passed to the application. Its verified JWT claim is passed to the application by HTTP header "X-Endpoint-API-UserInfo", the application can use it to do authorization. ESPv1 can be configured to authenticate a JWT token. ESP is a proxy which enables API management capabilities for JSON/REST or gRPC API services.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |