...
| Code Block | ||
|---|---|---|
| ||
{
"sub": "<username>",
"role": "<user_role">,
"context": "<hashed_cookie_context">,
"iat": "<issue_date">,
"exp": "<expiration_date">
} |
Token Attainment
The method by which the token will be securely obtained by the Safe Places web app.
| Status | ||||
|---|---|---|---|---|
|
Scope
The Safe Places backend will not be handling the management of the user pool.
I.E. there will be no
/loginendpoint that accepts ausernameandpasswordand performs a local database lookup.
Token attainment will largely depend on the health authority. They may implement their own system for issuing JSON Web Token that we will have to adapt to.
They may also control a separate user pool that the backend has to perform API calls on. This would mean issuing tokens would be within the Safe Places scope.
Potential Vulnerabilities
...
Numeric digits allow us log2(10) = 3.32 bits of entropy per character. RFC 4086 recommends 29 bits of entropy for a password based dependent on online authentication.
To meet that, we would need roughly 8 digits to have a decently-secured access code. Through key-stretching via simple HTTP rate-limiting, and while considering accessibility, we can likely reduce the requirement to 6 digits.
...