[keycloak-dev] Updates to access code
Stian Thorgersen
stian at redhat.com
Thu Jul 24 03:34:51 EDT 2014
----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 23 July, 2014 6:34:00 PM
> Subject: Re: [keycloak-dev] Updates to access code
>
>
>
> On 7/23/2014 11:13 AM, Stian Thorgersen wrote:
> > I've completed all the pre-work required before storing AccessCode details
> > in UserSessionProvider.
> >
> > What's be done to AccessCode is:
> >
> > * It no longer contains AccessToken. Instead it just contains the list of
> > requested roles (intersection of client scope and user roles). The
> > AccessToken is generated from this in the TokenService.codeToToken
> > * authMethod, usernameUsed and rememberMe has been moved to
> > UserSessionModel
> > * list of RequiredActions have been changed to a single action. The action
> > can be one of the required actions, oauth_grant, or nothing. A code can
> > only be used for the action currently set on it. For example if the code
> > is set to VERIFY_EMAIL that is the only thing it's useful for. Also added
> > the oauth_grant action to make sure a user has verified the grants (if
> > client obviously) before the code is active and can be used to obtain a
> > token.
> > * expiration has been removed. Instead the timestamp and
> > realm.getAccessCodeLifespan/getAccessCodeLifespanUserAction is used
> > directly.
> >
> > That's it. Next step is to the details in UserSessionProvider and only send
> > the id as the code query param.
> >
> > Question: is sending UUID + timestamp sufficient as the code, or should we
> > sign it with JWSBuilder as well?
>
> Don't think you need a timestamp as the user session should have a
> timestamp. Without signature, isn't this another brute force vulnerability?
Timestamp is needed for the code as it has a shorter lifespan than a user-session.
Yep, my instinct says let's encrypt it to be safe.
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list