[keycloak-dev] Proposed changes to access code
Marek Posolda
mposolda at redhat.com
Wed Oct 29 06:27:32 EDT 2014
Yep, it seems that signing and then computing hash of the signature is
quite an overhead, which is not needed. Especially with additionally
added uniqueness of ActionKey. So +1 from me
Marek
On 28.10.2014 14:09, Stian Thorgersen wrote:
> We have a few issues with how we generate access codes:
>
> * Abuse of RSA
> * SHA-1 is no good
> * Action + timestamp is guessable (this may just be theoretical)
> * Both key and code query params sent in emails (making the links longer that necessary)
>
> To resolve these issues I propose:
>
> * When realm keys are updated we generate a realm code secret (UUID) - this is a secret required to create valid codes
> * When the action and timestamp is updated we generate a action key (UUID) - this is a unique identifier for that specific action
>
> Then an access code is created with:
>
> MessageDigest digest = MessageDigest.getInstance("sha-256");
> digest.update(realm.getCodeSecret());
> digest.update("/".getBytes());
> digest.update(clientSession.getActionKey());
>
> String hash = Base64Url.encode(digest.digest());
>
> StringBuilder sb = new StringBuilder();
> sb.append(hash);
> sb.append(".");
> sb.append(clientSession.getId());
>
> String code = sb.toString();
>
> An example access code will now be:
>
> Ld_L-Ta-tSpQMxGimEIpM4rq57KoplcN_3QxujUsMlM.6d102340-a7fd-44b8-93fd-ed6a8e8a4a15
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
More information about the keycloak-dev
mailing list