store serialized JWT token in []byte instead in the JWT-SVID

[Dentrax]

Just noticed token field uses string data type. From the security perspective, shouldn't it be stored in []byte instead?

Since the string is immutable, once we've created it, if another process can dump memory like ollydbg, etc., there's no way you can get rid of the data before garbage collection kicks in. ¹

What are your thoughts?

Footnotes

1. https://security.stackexchange.com/a/172578/188106 ↩

[azdagron]

While I agree in principal, I'm curious how to make this practical. How do you see callers effectively clearing the backing array of that slice? What shape of the library could we impose to encourage (or better yet, force) them to clear it? Even though we control this particular struct, we don't control others (e.g. the grpc internal buffers used to receive the message from the workload API), in which case are we really mitigating anything by making this change since other copies will surely exist?

To be clear, I'm not opposed to changing it to []byte, and would happy to accept a PR in that direction, I just don't think it's going to have any practical effect on the security posture of the workload. Thoughts??