[keycloak-dev] JWS sizes
sthorger at redhat.com
Wed Mar 22 04:42:22 EDT 2017
We also need to make sure action tokens use HMAC
On 22 March 2017 at 09:12, Marek Posolda <mposolda at redhat.com> wrote:
> On 22/03/17 08:43, Stian Thorgersen wrote:
> It's even worse there's cases where cookie storage is limited to 2k per
> domain. Some reverse proxies have that as the default apparently.
> On 21 March 2017 at 18:57, Marek Posolda <mposolda at redhat.com> wrote:
>> I guess we're not going to support cookie storage anyway, but if yes (in
>> theory) isn't it sufficient to go with Hmac-SHA256 based signature? It
>> would be Keycloak server itself, which both creates and verifies cookie,
>> so perhaps not a need for bigger and less performant RSA?
>> Which reminds that we can probably save some performance points by using
>> HMAC for refresh tokens too? Since it's the Keycloak itself which signs
>> and verifies it and from the adapter perspective, refresh token is just
>> an opaque string.
> +1 Good point! Can you JIRA it and set fix version to 3.3 please?
> Created https://issues.jboss.org/browse/KEYCLOAK-4622 for refresh tokens.
> Also created https://issues.jboss.org/browse/KEYCLOAK-4623 for client
> registration tokens, which I think is a similar case. The performance here
> is not so critical though, but still, I think the fix would be pretty-easy
> and worth to do it IMO.
>> On 21/03/17 17:25, Bill Burke wrote:
>> > FYI,
>> > Signature for RSA-Sha-256 for JWS is 172 bytes. The Header of the JWS
>> > is minimally 20 extra bytes. Can be more depending on additional
>> > headers (kid, typ, cty). Wanted to state these numbers as they effect
>> > if we want to use a cookie to store session information instead of
>> > within a ClientSessionModel on the auth server, or HttpSession on
>> > clients/apps. Supposedly cookie storage is limited to 4k per domain, so
>> > we're immediately starting 200 bytes (5%) in the hole.
>> > Bill
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
More information about the keycloak-dev