rashbre central: Kyle and the JWT

Wednesday, 17 May 2023

Kyle and the JWT

It is Friday Morning and Matt's friend Kyle is on-site.

"Ah - so the Englishman is bringing in his friends, so that he doesn't feel outnumbered?" says Hermann with a twinkle in his eye.
 
Kyle shakes hands with me, Hermann and Rolf and says, "I heard from Matt you were having trouble working out what some of the Createl code was doing? Maybe I can help?"
 
Hermann brings up the code on a screen. "It seems to be in this area," he says, "But if we isolate the code, then it stops working. Leave it in and everything seems to run slowly."
 
"I see," says Kyle, looking intently at the coding in front of him. 
 
"It's a form of JavaScript Object Notation Web Token - A JWT - pretty standard stuff, but I can see that the token form is highly customised. It's using a token audience claim and depends upon the initial token request. It verifies that the application has been granted the permissions required to access your interface to other systems. You will need to check the scope claim in the decoded JWT's payload and make sure the permissions match."

Kyle might as well have been talking 'cat' at that moment. None of it made any sense to me, although Hermann seemed to understand it. Amy looked at me as if to say 'is this guy for real?'.

Hermann says, "So that would account for the slow running. If every time Createl wants to do anything it must go through this series of checks, no wonder it runs slowly. I thought it was a protective security layer."
 
Kyle looks at Hermann and says, "It is really. Createl is looking for a token. If the right one is supplied, then it will run without all the tests. It knows it has the right 'audience', But if anyone else tries to run it, then it will perform sluggishly and not be capable of speeding-up. It's clever really. Levi slugged the application to run slowly unless it is in his capable hands."
 
Hermann groans, "I thought so. The result is a non-performing piece of software. No wonder the links to Selexor and to the Cyclone are so slow."
 
Kyle adds, "I reckon there's an identity token associated with Levi buried somewhere in the code. We find that and everything will run much faster."
 
Rolf says, "Kyle, thank you! You are as good as, no better even, than Matt said."
 
Amy remembers, "Levi was into Image Recognition, what about if the token is a token associated with Levi? This may sound baffling, but if the software recognises who is running it?"
 
Rolf and Hermann looked at one another.
 
"Great thought, Amy, " says Hermann, "We should put a Hi-res screen display of Levi in front of the cameras on the operating console. See if we can trick it,"
 
"Better than that," answers Kyle, "If we intercept the data flow, we can probably find the token as well. Then we'll have the key to making Createl and the corresponding Cyclone run fast."
 
Amy smiled. Progress at last, although I could see she was looking concerned about what was about to be unleashed.

No comments: