Documentation
¶
Overview ¶
Example 10: Security — Attack Prevention.
Demonstrates real attacks against JWT-based auth and OneAuth's defenses: algorithm confusion (CVE-2015-9235), alg:none, cross-app forgery, and JWKS leak prevention.
Two-process architecture:
make serve # auth + JWKS :8081, protected resource :8082 make demo # walkthrough that drives both
In --serve mode you can fuzz the resource endpoint with crafted tokens to verify the middleware blocks them in your environment too:
curl http://localhost:8082/resource -H "Authorization: Bearer <crafted-token>"
Click to show internal directories.
Click to hide internal directories.