Re: [keycloak-dev] Proposed changes to access code

Yep, it seems that signing and then computing hash of the signature is quite an overhead, which is not needed. Especially with additionally added uniqueness of ActionKey. So +1 from me Marek On 28.10.2014 14:09, Stian Thorgersen wrote: > We have a few issues with how we generate access codes: > > * Abuse of RSA > * SHA-1 is no good > * Action + timestamp is guessable (this may just be theoretical) > * Both key and code query params sent in emails (making the links longer that necessary) > > To resolve these issues I propose: > > * When realm keys are updated we generate a realm code secret (UUID) - this is a secret required to create valid codes > * When the action and timestamp is updated we generate a action key (UUID) - this is a unique identifier for that specific action > > Then an access code is created with: > > MessageDigest digest = MessageDigest.getInstance("sha-256"); > digest.update(realm.getCodeSecret()); > digest.update("/".getBytes()); > digest.update(clientSession.getActionKey()); > > String hash = Base64Url.encode(digest.digest()); > > StringBuilder sb = new StringBuilder(); > sb.append(hash); > sb.append("."); > sb.append(clientSession.getId()); > > String code = sb.toString(); > > An example access code will now be: > > Ld_L-Ta-tSpQMxGimEIpM4rq57KoplcN_3QxujUsMlM.6d102340-a7fd-44b8-93fd-ed6a8e8a4a15 > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev