We currently create a SHA-256 hash to verify the client codes, but would it not be better
to use a MAC? Doesn't require any changes to the model as we can use the realm
code-secret as the secret for the MAC.
Only change would be to ClientSessionCode.createHashCode:
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec key = new SecretKeySpec(realm.getCodeSecret().getBytes(),
"HmacSHA256");
mac.init(key);
mac.update(clientSession.getId().getBytes());
mac.update(HASH_SEPERATOR);
mac.update(clientSession.getNote(ACTION_KEY).getBytes());
return Base64Url.encode(mac.doFinal());
Show replies by date