[keycloak-dev] Revisiting client codes again
Stian Thorgersen
stian at redhat.com
Mon Nov 24 09:06:58 EST 2014
We currently create a SHA-256 hash to verify the client codes, but would it not be better to use a MAC? Doesn't require any changes to the model as we can use the realm code-secret as the secret for the MAC.
Only change would be to ClientSessionCode.createHashCode:
Mac mac = Mac.getInstance("HmacSHA256");
SecretKeySpec key = new SecretKeySpec(realm.getCodeSecret().getBytes(), "HmacSHA256");
mac.init(key);
mac.update(clientSession.getId().getBytes());
mac.update(HASH_SEPERATOR);
mac.update(clientSession.getNote(ACTION_KEY).getBytes());
return Base64Url.encode(mac.doFinal());
More information about the keycloak-dev
mailing list