Comments (8)
JohnMoehrke
commented on July 28, 2024
Is there some profile of the oauth token that can be described that preserves in the audit that which is useful while explicitly excluding the concerning portions? We need subject matter expert to define this profile of the oauth token for this use-case.
from iti.basicaudit.
JohnMoehrke
commented on July 28, 2024
no matter what we profile, the audit log is always a gold mine for exploiting. Long lived tokens are a bad security choice. I agree that we should limit the risk. However I had not received any subject matter expert advice by publication time. We can adjust this in a CP.
from iti.basicaudit.
jkiddo
commented on July 28, 2024
The auditlog is a goldmine for sure in itself. Adding the full requests with any potential long lived tokens to it takes it to a whole other level of exploit minefield as long lived tokens can be used for the purpose of getting access to data NOT yet in the auditlog.
from iti.basicaudit.
jkiddo
commented on July 28, 2024
My subject matter expert advice is as follows: Omit the full access token from the auditevent. If the access token is in the form of a signed JWT, then remove the signature part of it in the AuditEvent.
from iti.basicaudit.
jkiddo
commented on July 28, 2024
Going ahead making a publication where the full request and all headers are added to the auditlog is not recommended. I fail to understand if publication continues without addressing this. This comment has been around for 9 months and nothing has happened. If github is the wrong place for issues and the HL7 Jira is a better fit then I suggest to remove the option to raise issues on this repo.
from iti.basicaudit.
jkiddo
commented on July 28, 2024
Keeping the access token in its full form in the auditevent increases the number of attack vectors of the system.
from iti.basicaudit.
JohnMoehrke
commented on July 28, 2024
The problem with that is that both IUA and SMART have extensions in the oAuth token that are important to understand the transaction. We can't just not record this information. Plus there is a need to have some identity of the specific token somewhere.
from iti.basicaudit.
JohnMoehrke
commented on July 28, 2024
I have indicated multiple times... I want to profile what we record from the oauth token... please provide guidance to that goal.
from iti.basicaudit.
Related Issues (20)
- Inconsistent codes used for agent:client and agent:server slices HOT 2
- Described use of Source and Destination Role ID does not agree with profile use. HOT 2
- Need minimal profile for failed transactions HOT 2
- Pattern slicing of CodableConcepts incorrectly includes display values HOT 3
- software details
- define how to encode a DN into a URI HOT 2
- define how to record an identity that is defined by a Certificate HOT 3
- OAuth jti as policy
- Patient access - security considerations HOT 4
- Change of scope for AuditEvent HOT 3
- do not include authentication header in .query when jti is recorded in agent HOT 1
- Missing definition of 'request' HOT 1
- Missing definition of 'subject indicated'
- Base ResourceType should be part of the AuditEvent
- Fixed values need explicit minimum cardinality of 1 HOT 3
- Fix read subtype slicing HOT 3
- Specify tracing identifiers in AuditEvents
- Changes in R5 (R6) to AuditEvent
- don't escape resource-id when cx type in balp for json HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from iti.basicaudit.