On 22/03/17 08:43, Stian Thorgersen wrote:
It's even worse there's cases where cookie storage is limited
to 2k
per domain. Some reverse proxies have that as the default apparently.
On 21 March 2017 at 18:57, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
I guess we're not going to support cookie storage anyway, but if
yes (in
theory) isn't it sufficient to go with Hmac-SHA256 based signature? It
would be Keycloak server itself, which both creates and verifies
cookie,
so perhaps not a need for bigger and less performant RSA?
Which reminds that we can probably save some performance points by
using
HMAC for refresh tokens too? Since it's the Keycloak itself which
signs
and verifies it and from the adapter perspective, refresh token is
just
an opaque string.
+1 Good point! Can you JIRA it and set fix version to 3.3 please?
Created
https://issues.jboss.org/browse/KEYCLOAK-4622 for refresh tokens.
Also created
https://issues.jboss.org/browse/KEYCLOAK-4623 for client
registration tokens, which I think is a similar case. The performance
here is not so critical though, but still, I think the fix would be
pretty-easy and worth to do it IMO.
Marek
Marek
On 21/03/17 17:25, Bill Burke wrote:
> FYI,
>
> Signature for RSA-Sha-256 for JWS is 172 bytes. The Header of
the JWS
> is minimally 20 extra bytes. Can be more depending on additional
> headers (kid, typ, cty). Wanted to state these numbers as they
effect
> if we want to use a cookie to store session information instead of
> within a ClientSessionModel on the auth server, or HttpSession on
> clients/apps. Supposedly cookie storage is limited to 4k per
domain, so
> we're immediately starting 200 bytes (5%) in the hole.
>
> Bill
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<
https://lists.jboss.org/mailman/listinfo/keycloak-dev>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<
https://lists.jboss.org/mailman/listinfo/keycloak-dev>