On 31.3.2015 09:33, Stian Thorgersen wrote:
----- Original Message -----
> From: "Bastian Ike" <bastian.ike(a)aoe.com>
> To: "Marek Posolda" <mposolda(a)redhat.com>, "Sebastian Rose"
<sebastian.rose(a)aoe.com>, keycloak-dev(a)lists.jboss.org
> Sent: Tuesday, 31 March, 2015 9:24:09 AM
> Subject: Re: [keycloak-dev] application session state update
>
> Hi guys,
>
> We're connecting Magento with Keycloak, and the SID is regenerated after
> every change of the login status to prevent session fixation attacks where
> attackers might be able to enforce a session id or observe a session id
> prior to authentication and can later access useraccounts by requesting
> private resources using these session ids.
>
> SID refreshs are a common way to prevent this kind of issues and to ensure
> that no old SID's are leaked and cannot be enforced or predicted.
I don't think this is relevant to this discussion, but in either case that's not
an issue in Keycloak. The session id in Keycloak is just a reference to a specific user
session and only valid for the lifetime of the session (it's also a UUID so is not
predictable). Having the knowledge of a session id doesn't provide an attacker with
anything more than say a username, it's just a reference.
That's actually
related to the application session (kind of HttpSession
ID in web application secured by keycloak). We can add support for
changing application_session_state in refreshToken endpoint instead of
introducing separate endpoint. Will it be sufficient for your usecase?
Marek
>
> Regards, Bastian
>
>
> Von: Marek Posolda < mposolda(a)redhat.com >
> Datum: Mon, 30 Mar 2015 23:00:03 +0200
> An: Sebastian Rose < sebastian.rose(a)aoe.com >, "
keycloak-dev(a)lists.jboss.org
> " < keycloak-dev(a)lists.jboss.org >
> Betreff: Re: [keycloak-dev] application session state update
>
> On 27.3.2015 17:22, Sebastian Rose wrote:
>
>
>
>
>
> Hi everyone,
>
>
>
> The endpoint /auth/realms/<realm>/protocol/openid-connect/access/codes has a
> parameter for the session id of a secured application (adapters use it):
> application_session_state. The Endpoint
> /auth/realms/<realm>/protocol/openid-connect/refresh has not. At least this
> is what i saw within the code. Sorry, if it's there.
>
>
>
> We have integrated our own application a la adapter, using these two url's
> and it's working fine. Our application completes the login via the first
> endpoint and changes it's session id after the successful login. This means
> when a logout event is send to our application, the old session id is used.
> So you're not using servlet API but something completely different? Which
> framework are you using? Just curious about your usecase as in normal
> servlet application the HttpSession ID is same for the whole life of user
> interaction and doesn't need to be changed after authentication (or during
> refresh).
>
> Marek
>
>
>
>
>
>
>
>
>
> So i'm asking if it makes sense to you to have the same parameter for the
> refresh-url to cover our requirement or to integrate an
> application_session_state update endpoint to add/delete/update
> additional/new session id's.
>
>
>
>
>
>
>
>
>
> Best Regrads
>
> Sebastian
>
>
>
>
>
>
>
>
> _______________________________________________
> keycloak-dev mailing list keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev