If tokens issued to a legimate client are stolen by an attacker, the attacker can impersonate said client and this is hard to detect by the API. A particular risk is if the attacker can use the stolen token “scrape” data for all users (ex. looping over all personidentifiers) undetected.
Countermeasures for such attacks could be for the APIs to employ progressivce rate-limitations or restricting the maximum number of calls for a specific token.
Another countermeasure that APIs securing sensitive data should consider, is requiring pid-restricted tokens. A pid-restricted token is a token that simply contains a
pid claim, and the API must the validate that the pid in the token is equal to the pid referenced by the API call. This forces the client to fetch a new Maskinporten token for each user the client wants to do API calls for.
Note that a pid-restricted Maskinporten token looks very similar to a OIDC token from ID-porten, but the end user has NOT logged in.
The client includes the
pid-claim in the JWT grant in order trigger pid-restriction.
The resulting access token will include the person identifier of the intented subject of subsequent API calls in the
API / resource server tasks
- The API must reject tokens not containing
- The API must reject tokens having a different
pidthan the subject of the API call.