[keycloak-dev] application session state update

[Bastian Ike]

Am 31.03.15 10:02 schrieb "Marek Posolda" unter <mposolda at redhat.com>:

>On 31.3.2015 09:33, Stian Thorgersen wrote:
>>
>> ----- Original Message -----
>>> From: "Bastian Ike" <bastian.ike at aoe.com>
>>> To: "Marek Posolda" <mposolda at redhat.com>, "Sebastian Rose"
>>><sebastian.rose at aoe.com>, keycloak-dev at lists.jboss.org
>>> Sent: Tuesday, 31 March, 2015 9:24:09 AM
>>> Subject: Re: [keycloak-dev] application session state update
>>>
>>> Hi guys,
>>>
>>> We're connecting Magento with Keycloak, and the SID is regenerated
>>>after
>>> every change of the login status to prevent session fixation attacks
>>>where
>>> attackers might be able to enforce a session id or observe a session id
>>> prior to authentication and can later access useraccounts by requesting
>>> private resources using these session ids.
>>>
>>> SID refreshs are a common way to prevent this kind of issues and to
>>>ensure
>>> that no old SID's are leaked and cannot be enforced or predicted.
>> I don't think this is relevant to this discussion, but in either case
>>that's not an issue in Keycloak. The session id in Keycloak is just a
>>reference to a specific user session and only valid for the lifetime of
>>the session (it's also a UUID so is not predictable). Having the
>>knowledge of a session id doesn't provide an attacker with anything more
>>than say a username, it's just a reference.
Yes, this is not about the Keycloak session but about the connected
application. I just wanted to answer Marek's question :)

>That's actually related to the application session (kind of HttpSession
>ID in web application secured by keycloak). We can add support for
>changing application_session_state in refreshToken endpoint instead of
>introducing separate endpoint. Will it be sufficient for your usecase?
>
>Marek
That would help us a lot!

Thanks, Bastian
>>
>>>
>>> Regards, Bastian
>>>
>>>
>>> Von: Marek Posolda < mposolda at redhat.com >
>>> Datum: Mon, 30 Mar 2015 23:00:03 +0200
>>> An: Sebastian Rose < sebastian.rose at aoe.com >, "
>>>keycloak-dev at lists.jboss.org
>>> " < keycloak-dev at lists.jboss.org >
>>> Betreff: Re: [keycloak-dev] application session state update
>>>
>>> On 27.3.2015 17:22, Sebastian Rose wrote:
>>>
>>>
>>>
>>>
>>>
>>> Hi everyone,
>>>
>>>
>>>
>>> The endpoint /auth/realms/<realm>/protocol/openid-connect/access/codes
>>>has a
>>> parameter for the session id of a secured application (adapters use
>>>it):
>>> application_session_state. The Endpoint
>>> /auth/realms/<realm>/protocol/openid-connect/refresh has not. At least
>>>this
>>> is what i saw within the code. Sorry, if it's there.
>>>
>>>
>>>
>>> We have integrated our own application a la adapter, using these two
>>>url's
>>> and it's working fine. Our application completes the login via the
>>>first
>>> endpoint and changes it's session id after the successful login. This
>>>means
>>> when a logout event is send to our application, the old session id is
>>>used.
>>> So you're not using servlet API but something completely different?
>>>Which
>>> framework are you using? Just curious about your usecase as in normal
>>> servlet application the HttpSession ID is same for the whole life of
>>>user
>>> interaction and doesn't need to be changed after authentication (or
>>>during
>>> refresh).
>>>
>>> Marek
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> So i'm asking if it makes sense to you to have the same parameter for
>>>the
>>> refresh-url to cover our requirement or to integrate an
>>> application_session_state update endpoint to add/delete/update
>>> additional/new session id's.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Best Regrads
>>>
>>> Sebastian
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>