OIDC Tokens Security

For simplification and robustness, GoodData stores OIDC tokens (Access Token and ID Token) in HTTP Cookies.

Storing these tokens in plain text (not encrypted) is considered by OIDC as secure enough, but it is still not recommend. For this reason GoodData store these tokens encrypted.

Encryption is using Authenticated Encryption with Associated Data (AEAD) with AES 256 encryption with Galois/Counter Mode.

GoodData also supports different encryption keys per organization and encryption keys rotation.

Each organization uses three encryption keys at a time:

  • old encryption key - key used for encryption in past and still accepted for decryption
  • current encryption key - key used for encryption and decryption
  • next encryption key - key which will be used for encryption in future and accepted for decryption

Supporting old key allows key rotations without impact on users. Supporting next encryption key allows better caching in GoodData leading to better performance for working with OIDC tokens.

Encryption keys rotation is performed in these steps:

  • old encryption key is thrown away
  • current encryption key is promoted to old encryption key
  • next encryption key is promoted to current encryption key
  • new key is generated for next encryption key

Default encryption keys rotation period is 30 days and can be configured for existing organizations in /api/v1/entities/admin/cookieSecurityConfigurations/{organizationId}.

Manual encryption keys rotation can be performed by setting lastRotation to value in long past (longer than rotationInterval).

Complete rotation (invalidating all decryption keys) requires three rotations (as each rotation invalidates only one key).

For more information, see the API documentation.