[keycloak-dev] Proposed changes to access code

Stian Thorgersen stian at redhat.com
Wed Oct 29 08:47:08 EDT 2014 


----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Wednesday, 29 October, 2014 1:44:38 PM
> Subject: Re: [keycloak-dev] Proposed changes to access code
> 
> Should clientSession.id be added to the hash?

Sure

> 
> On 10/29/2014 6:27 AM, Marek Posolda wrote:
> > Yep, it seems that signing and then computing hash of the signature is
> > quite an overhead, which is not needed. Especially with additionally
> > added uniqueness of ActionKey. So +1 from me
> >
> > Marek
> >
> > On 28.10.2014 14:09, Stian Thorgersen wrote:
> >> We have a few issues with how we generate access codes:
> >>
> >> * Abuse of RSA
> >> * SHA-1 is no good
> >> * Action + timestamp is guessable (this may just be theoretical)
> >> * Both key and code query params sent in emails (making the links longer
> >> that necessary)
> >>
> >> To resolve these issues I propose:
> >>
> >> * When realm keys are updated we generate a realm code secret (UUID) -
> >> this is a secret required to create valid codes
> >> * When the action and timestamp is updated we generate a action key (UUID)
> >> - this is a unique identifier for that specific action
> >>
> >> Then an access code is created with:
> >>
> >>       MessageDigest digest = MessageDigest.getInstance("sha-256");
> >>       digest.update(realm.getCodeSecret());
> >>       digest.update("/".getBytes());
> >>       digest.update(clientSession.getActionKey());
> >>
> >>       String hash = Base64Url.encode(digest.digest());
> >>
> >>       StringBuilder sb = new StringBuilder();
> >>       sb.append(hash);
> >>       sb.append(".");
> >>       sb.append(clientSession.getId());
> >>
> >>       String code = sb.toString();
> >>
> >> An example access code will now be:
> >>
> >>       Ld_L-Ta-tSpQMxGimEIpM4rq57KoplcN_3QxujUsMlM.6d102340-a7fd-44b8-93fd-ed6a8e8a4a15
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list