Collect metadata from JWTs #9
Description
We can safely store some info about JWTs.
The header has no secret info. We can figure out which algo is used and if there's anything interesting like a keyID in there.
The claim name are usually also not secret. The claim values might have secret info. This is especially useful for AADs because we can harvest the audience, appIDs and so on.
The signature should not be stored in any case.
We can figure out if we have a JWT but looking at the Authorization header. After removing Bearer , we can see if it's in the correct format. Splitting by . should give us three pieces. Then we can base64 decode.
We can store the type of the authorization header in the request metadata somewhere so we can alter search for it. E.g., which requests use the authorization header and if it's JWT/AAD or not.
We can figure out if we're dealing with an AAD or a JWT by looking inside the claims section. AADs have certain claim names like aud or tenant id?