<div dir="ltr">Hello,<div><br></div><div>I couldn&#39;t find the JIRA for the optional exclusion of the IDToken when refreshing Access Tokens so I created:</div><div><a href="https://issues.jboss.org/browse/KEYCLOAK-3360">https://issues.jboss.org/browse/KEYCLOAK-3360</a><br></div><div><br></div><div>I also did a PR which implements that:</div><div><a href="https://github.com/keycloak/keycloak/pull/3069">https://github.com/keycloak/keycloak/pull/3069</a><br></div><div><br></div><div>Cheers,</div><div>Thomas</div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-05-31 8:59 GMT+02:00 Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div bgcolor="#FFFFFF" text="#000000"><span class="">
    <div>On 30/05/16 21:04, Stian Thorgersen
      wrote:<br>
    </div>
    <blockquote type="cite">
      <div dir="ltr"><br>
        <div class="gmail_extra"><br>
          <div class="gmail_quote">On 30 May 2016 at 12:03, Marek
            Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>
            wrote:<br>
            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div bgcolor="#FFFFFF" text="#000000"><span>
                  <div>On 30/05/16 11:51, Stian Thorgersen wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr"><br>
                      <div class="gmail_extra"><br>
                        <div class="gmail_quote">On 30 May 2016 at
                          11:13, Marek Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank"></a><a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>
                          wrote:<br>
                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                            <div bgcolor="#FFFFFF" text="#000000"><span>
                                <div>On 30/05/16 08:02, Stian Thorgersen
                                  wrote:<br>
                                </div>
                                <blockquote type="cite">
                                  <div dir="ltr">Create a JIRA for <span style="font-size:12.8px">ECDSA. I
                                      don&#39;t think we could/should change
                                      the default, but could be a
                                      configuration option for clients.</span></div>
                                </blockquote>
                              </span> Added <a href="https://issues.jboss.org/browse/KEYCLOAK-3057" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-3057</a>
                              with fix version 2.0.0.CR1 for now.<span><br>
                                <blockquote type="cite">
                                  <div dir="ltr">
                                    <div><span style="font-size:12.8px"><br>
                                      </span></div>
                                    <div><span style="font-size:12.8px">Looking
                                        at OpenID Connect spec it looks
                                        like ID token should always be
                                        generated in token response [1].
                                        However, it should not be
                                        generated in refresh [2]
                                        response.</span></div>
                                    <div><span style="font-size:12.8px"><br>
                                      </span></div>
                                    <div><span style="font-size:12.8px">[1] <a href="http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.3.3" target="_blank"></a><a href="http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.3.3" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.3.3</a></span></div>
                                    <div><span style="font-size:12.8px">[2] <a href="http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.12.2" target="_blank"></a><a href="http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.12.2" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#rfc.section.12.2</a></span></div>
                                  </div>
                                </blockquote>
                              </span> hmm... I am reading 12.2 that
                              refresh response &quot;might not&quot; contain ID
                              Token, hence it&#39;s nothing bad if it
                              contains it. So looks we are currently
                              specs compliant if we have IDToken in both
                              code-to-token response and refresh
                              response.<br>
                              <br>
                              What I mean is, that flag for skip IDToken
                              generation might be just optional and
                              disabled by default. So by default,
                              IDToken is available and all the
                              communication is OIDC compliant. However
                              if someone doesn&#39;t need IDToken and wants
                              to save some performance, he may skip the
                              IDToken generation. <br>
                              <br>
                              A week before, I&#39;ve tried some JProfiler
                              testing of login-logout test and token
                              generation was the main CPU consumption (I
                              still had just 1 hashIteration during this
                              profiling, with 20000 it will be likely
                              very different though). I saw 40% of CPU
                              time in TokenManager$<span style="background-color:#e4e4ff">AccessTokenResponseBuilder.</span>build()<span style="background-color:#e4e4ff"></span>
                              due there are 3 tokens signature here. The
                              option to reduce it from 3 to 2 might
                              slightly improve some CPU cycles &quot;for
                              free&quot; (security won&#39;t be reduced).</div>
                          </blockquote>
                          <div><br>
                          </div>
                          <div>I&#39;d argue that we should just include ID
                            token from the authorization response, while
                            never in the refresh response. That results
                            in better performance without the need for a
                            config option.</div>
                        </div>
                      </div>
                    </div>
                  </blockquote>
                </span> Won&#39;t that break compatibility for some client
                applications, which actually use IDToken and rely on the
                fact that it&#39;s properly refreshed every time? Among
                other things, IDToken contains fields like &quot;exp&quot; , which
                might then contain  expired value as it won&#39;t be updated
                during refreshes. Not sure if users won&#39;t be confused
                due to this.</div>
            </blockquote>
            <div><br>
            </div>
            <div>Surely the exp for an IDToken should be set to the
              session expiration and not to the expiration of access
              token though? Do we even update the profile details in the
              token or just fill it with whatever was there before?</div>
          </div>
        </div>
      </div>
    </blockquote></span>
    That&#39;s not what we are doing now. Right now, all IDToken claims
    (including expiration) are copied from accessToken. So IDToken
    expiration is by default defacto just 5 minutes or so. And all the
    claims are always updated during refresh. So if we don&#39;t refresh
    IDToken we lost this and IDToken will always contain claims from the
    time of login. Not sure if it&#39;s too bad or not, however some client
    apps, which use IDToken (like our demo for example) might be
    confused that IDToken will still contain old values after refresh...<span class="HOEnZb"><font color="#888888"><br>
    <font color="#888888"><br>
      Marek<br>
    </font></font></span><div><div class="h5">
    <blockquote type="cite">
      <div dir="ltr">
        <div class="gmail_extra">
          <div class="gmail_quote">
            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
              <div bgcolor="#FFFFFF" text="#000000"><span><font color="#888888"> Marek</font></span>
                <div>
                  <div><br>
                    <blockquote type="cite">
                      <div dir="ltr">
                        <div class="gmail_extra">
                          <div class="gmail_quote">
                            <div> </div>
                            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                              <div bgcolor="#FFFFFF" text="#000000"><span><font color="#888888"><br>
                                    <br>
                                    Marek</font></span>
                                <div>
                                  <div><br>
                                    <br>
                                    <blockquote type="cite">
                                      <div class="gmail_extra">
                                        <div class="gmail_quote">On 27
                                          May 2016 at 19:19, Marek
                                          Posolda <span dir="ltr">&lt;<a href="mailto:mposolda@redhat.com" target="_blank"></a><a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>&gt;</span>
                                          wrote:<br>
                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                            <div bgcolor="#FFFFFF" text="#000000">
                                              <div>Regarding this, I
                                                wonder if we should add
                                                support for ECDSA based
                                                signatures as an
                                                alternative to RSA? Just
                                                went through some
                                                interesting blog [1] ,
                                                which mentions that
                                                256-bits ECDSA has
                                                around 9.5 times better
                                                performance of signature
                                                generation than
                                                2048-bits RSA. The time
                                                of signature
                                                verification seems to be
                                                slightly worse for ECDSA
                                                (see second comment),
                                                however there is also
                                                increased security
                                                (256-ECDSA is
                                                equivalient of 3248 RSA
                                                according to blog).
                                                Maybe it&#39;s something we
                                                can look at?<br>
                                                <br>
                                                Also the optional flag
                                                to skip IDToken
                                                generation will be good
                                                too IMO. AFAIK the point
                                                of IDToken is the
                                                compliance with OIDC
                                                specification. However
                                                in case of Keycloak
                                                accessToken usually
                                                contains all the info
                                                like IDToken (+ some
                                                more) and it&#39;s the
                                                accessToken, which is
                                                used in REST endpoints.
                                                So with regards to that,
                                                most of the
                                                Keycloak-secured
                                                applications can live
                                                just with access+refresh
                                                token and don&#39;t need ID
                                                Token at all. So if just
                                                2 tokens needs to be
                                                signed instead of 3, we
                                                have performance gain
                                                &quot;for free&quot; (no decrease
                                                of security, just one
                                                less useless token).<br>
                                                <br>
                                                [1] <a href="https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/" target="_blank"></a><a href="https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/" target="_blank">https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/</a><span><font color="#888888"><br>
                                                    <br>
                                                    Marek</font></span>
                                                <div>
                                                  <div><br>
                                                    <br>
                                                    On 24/05/16 15:43,
                                                    Bill Burke wrote:<br>
                                                  </div>
                                                </div>
                                              </div>
                                              <div>
                                                <div>
                                                  <blockquote type="cite"> Are you
                                                    sure the performance
                                                    gains are worth less
                                                    security?  What kind
                                                    of performance are
                                                    you actually worried
                                                    about?  Network
                                                    (size of tokens) or
                                                    CPU
                                                    (signatures/marshaling/unmarshalling)? 
                                                    If anything, these
                                                    signatures are only
                                                    going to get
                                                    stronger in future
                                                    releases.<br>
                                                    <br>
                                                    <div>On 5/24/16 5:46
                                                      AM, Matuszak,
                                                      Eduard wrote:<br>
                                                    </div>
                                                    <blockquote type="cite"> <font face="Calibri" size="2"><span style="font-size:11pt">
                                                          <div>Hello </div>
                                                          <div> </div>
                                                          <div>Motivated
                                                          by
                                                          considerations
                                                          on how to
                                                          improve the
                                                          performance of
                                                          the token
                                                          generation
                                                          process I have
                                                          two questions:</div>
                                                          <div> </div>
                                                          <ul style="margin:0;padding-left:36pt">
                                                          <li>I noticed
                                                          that
                                                          Keycloak’s
                                                          token
                                                          generation via
                                                          endpoint
                                                          “auth/realms/ccp/protocol/openid-connect/token”
                                                          generates a
                                                          triple of
                                                          tokens
                                                          (access-,
                                                          refresh- and
                                                          id-token). Is
                                                          there any
                                                          possibility to
                                                          dispense with
                                                          the id-token
                                                          generation? </li>
                                                          </ul>
                                                          <div> </div>
                                                          <ul style="margin:0;padding-left:36pt">
                                                          <li>Is there a
                                                          possibility to
                                                          cause Keycloak
                                                          to generate
                                                          more “simple”
                                                          bearer tokens
                                                          then complex
                                                          jwt-tokens?</li>
                                                          </ul>
                                                          <div> </div>
                                                          <div> </div>
                                                          <div><font face="Verdana" size="2"><span style="font-size:9pt">Best regards, Eduard Matuszak</span></font></div>
                                                          <div> </div>
                                                        </span></font> <br>
                                                      <fieldset></fieldset>
                                                      <br>
                                                      <pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
                                                    </blockquote>
                                                    <br>
                                                    <br>
                                                    <fieldset></fieldset>
                                                    <br>
                                                    <pre>_______________________________________________
keycloak-user mailing list
<a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a></pre>
                                                  </blockquote>
                                                  <br>
                                                </div>
                                              </div>
                                            </div>
                                            <br>
_______________________________________________<br>
                                            keycloak-user mailing list<br>
                                            <a href="mailto:keycloak-user@lists.jboss.org" target="_blank">keycloak-user@lists.jboss.org</a><br>
                                            <a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br>
                                          </blockquote>
                                        </div>
                                        <br>
                                      </div>
                                    </blockquote>
                                    <br>
                                  </div>
                                </div>
                              </div>
                            </blockquote>
                          </div>
                          <br>
                        </div>
                      </div>
                    </blockquote>
                    <br>
                  </div>
                </div>
              </div>
            </blockquote>
          </div>
          <br>
        </div>
      </div>
    </blockquote>
    <br>
  </div></div></div>

<br>_______________________________________________<br>
keycloak-user mailing list<br>
<a href="mailto:keycloak-user@lists.jboss.org">keycloak-user@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-user" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-user</a><br></blockquote></div><br></div>