Yep, it seems that signing and then computing hash of the signature is
quite an overhead, which is not needed. Especially with additionally
added uniqueness of ActionKey. So +1 from me
Marek
On 28.10.2014 14:09, Stian Thorgersen wrote:
We have a few issues with how we generate access codes:
* Abuse of RSA
* SHA-1 is no good
* Action + timestamp is guessable (this may just be theoretical)
* Both key and code query params sent in emails (making the links longer that necessary)
To resolve these issues I propose:
* When realm keys are updated we generate a realm code secret (UUID) - this is a secret
required to create valid codes
* When the action and timestamp is updated we generate a action key (UUID) - this is a
unique identifier for that specific action
Then an access code is created with:
MessageDigest digest = MessageDigest.getInstance("sha-256");
digest.update(realm.getCodeSecret());
digest.update("/".getBytes());
digest.update(clientSession.getActionKey());
String hash = Base64Url.encode(digest.digest());
StringBuilder sb = new StringBuilder();
sb.append(hash);
sb.append(".");
sb.append(clientSession.getId());
String code = sb.toString();
An example access code will now be:
Ld_L-Ta-tSpQMxGimEIpM4rq57KoplcN_3QxujUsMlM.6d102340-a7fd-44b8-93fd-ed6a8e8a4a15
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev