1:48 p.m.
Smaller hash (sha1 or md5) is really the only thing you can do beyond
removing the JWS header. But, if you're going to do that, might as well
just ditch the signature altogether. If anything, over time, we'd be
using larger hashes not smaller ones.
HMAC is smaller, but that would require a realm secret key.
With a HMAC header and computing the JWS of:
String uuid = UUID.randomUUID().toString();
156 chars for HMAC 512 secret key
113 chars for HMAC 256 key
99 chars for HMAC SHA1 (We'd have to implement SHA1 which would be easy
to add)
Header is 20+ characters. uuid is 36 chars.
My bet is that Google is using HMAC + SHA-1
On 7/28/2014 12:59 PM, Marek Posolda wrote:
Something, which comes to my mind:
* Omit the header part with algorithm info and instead assume that code
is always signed with rsa-256 (or whatever different algorithm)
* Is it really needed to have System.currentTimeMillis() info here? I
wonder if this timestamp info can be extracted to server side as well,
so when code is later looked-up, you will also have info about the time
when it was created without the need of pass this info as part of the code
* It seems that the biggest part (around 170 characters) is signature. I
wonder that it can be reduced by either:
** Use not so strong algorithm to sign the code (not sure if it's
security issue as code is one time usage though and it's better than
avoid signature at all...)
** Actually it's keycloak itself, which verifies signature. So I wonder
if instead of passing the whole signature around, it can just pass the
hash of signature (just few characters). Then later during verification
phase, it has access to whole accessCode content, so it can sign the
content again and compute again the hash of signature and compare it
with the hash passed from code parameter.
Marek
On 28.7.2014 18:14, Stian Thorgersen wrote:
> I've made the changes to access code, but I'm still not happy with the
length.
>
> The old access code containing all the details (including access token and id token)
was at least 1000 characters long (with more roles and id token details that would have
been even bigger!).
>
> The new access code length is 259 characters. I think this is still to big and would
like to reduce it. The way I'm currently creating it is taking the ID
(UUID.randomUUID() + System.currentTimeMillis()) and using JWSBuilder to add a signature.
Example:
>
>
eyJhbGciOiJSUzI1NiJ9.MTVhMjFiNWMtNjcxYy00YzYyLWEyOGMtNmFmMzE4YzE0NjkzMTQwNjU2MzMwNzQyMw.djN2v1Egz1Fime-2bVvYyv529KNMChYh3e0rY5UU4TImv53ppwNhrmWaZRNzO0xLULRC8IeixrH6K3nR1cMyHZb9Ef8Vr46YvNmE8Q_qac821GAWMNzEKjYcXt87AhSSz8BY54CcbKIPLfxFC8smI-KDA1Mr5SrJ_Ch-zdLDbdM
>
> I checked Google it's just:
>
> 4/YJcHpG7-DcoVcwNH_8D-NDQKcP_Y.MijWXLPgpOwToiIBeO6P2m9c72_7jgI
>
> Suggestions welcome ;)
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com