[keycloak-dev] Access code length

Marek Posolda mposolda at redhat.com
Mon Jul 28 12:59:51 EDT 2014 

Something, which comes to my mind:

* Omit the header part with algorithm info and instead assume that code 
is always signed with rsa-256 (or whatever different algorithm)

* Is it really needed to have System.currentTimeMillis() info here? I 
wonder if this timestamp info can be extracted to server side as well, 
so when code is later looked-up, you will also have info about the time 
when it was created without the need of pass this info as part of the code

* It seems that the biggest part (around 170 characters) is signature. I 
wonder that it can be reduced by either:
** Use not so strong algorithm to sign the code (not sure if it's 
security issue as code is one time usage though and it's better than 
avoid signature at all...)
** Actually it's keycloak itself, which verifies signature. So I wonder 
if instead of passing the whole signature around, it can just pass the 
hash of signature (just few characters). Then later during verification 
phase, it has access to whole accessCode content, so it can sign the 
content again and compute again the hash of signature and compare it 
with the hash passed from code parameter.

Marek

On 28.7.2014 18:14, Stian Thorgersen wrote:
> I've made the changes to access code, but I'm still not happy with the length.
>
> The old access code containing all the details (including access token and id token) was at least 1000 characters long (with more roles and id token details that would have been even bigger!).
>
> The new access code length is 259 characters. I think this is still to big and would like to reduce it. The way I'm currently creating it is taking the ID (UUID.randomUUID() + System.currentTimeMillis()) and using JWSBuilder to add a signature. Example:
>
>    eyJhbGciOiJSUzI1NiJ9.MTVhMjFiNWMtNjcxYy00YzYyLWEyOGMtNmFmMzE4YzE0NjkzMTQwNjU2MzMwNzQyMw.djN2v1Egz1Fime-2bVvYyv529KNMChYh3e0rY5UU4TImv53ppwNhrmWaZRNzO0xLULRC8IeixrH6K3nR1cMyHZb9Ef8Vr46YvNmE8Q_qac821GAWMNzEKjYcXt87AhSSz8BY54CcbKIPLfxFC8smI-KDA1Mr5SrJ_Ch-zdLDbdM
>
> I checked Google it's just:
>
>    4/YJcHpG7-DcoVcwNH_8D-NDQKcP_Y.MijWXLPgpOwToiIBeO6P2m9c72_7jgI
>
> Suggestions welcome ;)
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list