We also need to make sure action tokens use HMAC
On 22 March 2017 at 09:12, Marek Posolda <mposolda(a)redhat.com> wrote:
On 22/03/17 08:43, Stian Thorgersen wrote:
It's even worse there's cases where cookie storage is limited to 2k per
domain. Some reverse proxies have that as the default apparently.
On 21 March 2017 at 18:57, Marek Posolda <mposolda(a)redhat.com> wrote:
> I guess we're not going to support cookie storage anyway, but if yes (in
> theory) isn't it sufficient to go with Hmac-SHA256 based signature? It
> would be Keycloak server itself, which both creates and verifies cookie,
> so perhaps not a need for bigger and less performant RSA?
>
> Which reminds that we can probably save some performance points by using
> HMAC for refresh tokens too? Since it's the Keycloak itself which signs
> and verifies it and from the adapter perspective, refresh token is just
> an opaque string.
>
+1 Good point! Can you JIRA it and set fix version to 3.3 please?
Created
https://issues.jboss.org/browse/KEYCLOAK-4622 for refresh tokens.
Also created
https://issues.jboss.org/browse/KEYCLOAK-4623 for client
registration tokens, which I think is a similar case. The performance here
is not so critical though, but still, I think the fix would be pretty-easy
and worth to do it IMO.
Marek
>
> Marek
>
> On 21/03/17 17:25, Bill Burke wrote:
> > FYI,
> >
> > Signature for RSA-Sha-256 for JWS is 172 bytes. The Header of the JWS
> > is minimally 20 extra bytes. Can be more depending on additional
> > headers (kid, typ, cty). Wanted to state these numbers as they effect
> > if we want to use a cookie to store session information instead of
> > within a ClientSessionModel on the auth server, or HttpSession on
> > clients/apps. Supposedly cookie storage is limited to 4k per domain, so
> > we're immediately starting 200 bytes (5%) in the hole.
> >
> > Bill
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>