I guess we're not going to support cookie storage anyway, but if yes (in
theory) isn't it sufficient to go with Hmac-SHA256 based signature? It
would be Keycloak server itself, which both creates and verifies cookie,
so perhaps not a need for bigger and less performant RSA?
Which reminds that we can probably save some performance points by using
HMAC for refresh tokens too? Since it's the Keycloak itself which signs
and verifies it and from the adapter perspective, refresh token is just
an opaque string.
Marek
On 21/03/17 17:25, Bill Burke wrote:
FYI,
Signature for RSA-Sha-256 for JWS is 172 bytes. The Header of the JWS
is minimally 20 extra bytes. Can be more depending on additional
headers (kid, typ, cty). Wanted to state these numbers as they effect
if we want to use a cookie to store session information instead of
within a ClientSessionModel on the auth server, or HttpSession on
clients/apps. Supposedly cookie storage is limited to 4k per domain, so
we're immediately starting 200 bytes (5%) in the hole.
Bill
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev