[keycloak-dev] Proposed changes to access code
Stian Thorgersen
stian at redhat.com
Tue Oct 28 09:09:29 EDT 2014
We have a few issues with how we generate access codes:
* Abuse of RSA
* SHA-1 is no good
* Action + timestamp is guessable (this may just be theoretical)
* Both key and code query params sent in emails (making the links longer that necessary)
To resolve these issues I propose:
* When realm keys are updated we generate a realm code secret (UUID) - this is a secret required to create valid codes
* When the action and timestamp is updated we generate a action key (UUID) - this is a unique identifier for that specific action
Then an access code is created with:
MessageDigest digest = MessageDigest.getInstance("sha-256");
digest.update(realm.getCodeSecret());
digest.update("/".getBytes());
digest.update(clientSession.getActionKey());
String hash = Base64Url.encode(digest.digest());
StringBuilder sb = new StringBuilder();
sb.append(hash);
sb.append(".");
sb.append(clientSession.getId());
String code = sb.toString();
An example access code will now be:
Ld_L-Ta-tSpQMxGimEIpM4rq57KoplcN_3QxujUsMlM.6d102340-a7fd-44b8-93fd-ed6a8e8a4a15
More information about the keycloak-dev
mailing list