You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, Hydra stores claims from consent application as json in database. In our case, we will have a field in /userinfo endpoint stores JWT. Similar to Aggregated Claims.
This can be supported by adding claims to id token session in hydra consent application. But hydra will save claims in plain text. Attacker can use the JWT if they grant the database access.
Solution
add a config flag encryption_session_data to hydra
if flag is true, encrypt data before writing in database and decrypt after reading from database.
encryption can use same encryption system today with the RSA key encryption in database.
Issue
Currently, Hydra stores claims from consent application as json in database. In our case, we will have a field in /userinfo endpoint stores JWT. Similar to Aggregated Claims.
This can be supported by adding claims to id token session in hydra consent application. But hydra will save claims in plain text. Attacker can use the JWT if they grant the database access.
Solution
encryption_session_datato hydraencryption can use same encryption system today with the RSA key encryption in database.