Checking if you support other identity management solutions in addition to Amazon’s Cognito. For instance, I have seen JWTs being replaced by Crypto wallet signatures.
Also… I thought to check what additional precautions you offer to protect users credentials.
The reason for asking is to understand how the vulnerabilities associated with a JSON web token can be addressed.
I don’t know that we do or don’t support cognito. I can however explain the process which you’re referring to when you mention a jwt. We have a five part blog written by a senior engineer that details this process. You’re also unknowingly asking a relatively complex little question that has lots of tendrils… I’ll answer it tersely, and you can follow up as needed.
Jwt tokens are used during enrollment. These are not actual user credentials until a user actually uses the single use token to enroll a device. You are correct however that this token is sensitive and distributing the token needs great care. We currently rely on the network operator to safely and securely deliver these tokens to actual endpoints. Since its just a file, we leave it to you to decide the best distribution mechanism.
Once at the endpoint, the jwt is consumed and becoming worthless on successful enrollment. The act of enrolling is what consumes the jwt, producing an identity file which should then be treated appropriately on that endpoint. There’s way more complexity to this as well…
Here’s the 5 part blog post: openziti.github.io/articles/bootstrapping-trust/part-01.encryption-everywhere.html
Here’s more information about endpoints and enrollment: openziti.github.io/ziti/identities/overview.html?tabs=tabid-new-ca-ui%2Ctabid-new-identity-ui
Thanks for the question!