[keycloak-dev] timeouts

Stian Thorgersen stian at redhat.com
Mon Jul 27 01:48:28 EDT 2015



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Saturday, 25 July, 2015 6:50:42 PM
> Subject: Re: [keycloak-dev] timeouts
> 
> I implemented this as a JWS with hmac256 of the realm's secret code.  It
> stores the client session as json based on whatever it is at the start
> of authentication process.  This is about 700 bytes in size.  combine
> this with our other cookies, I think we are still well below the 4k max
> on per domain total cookie size.
> 
> You will also get a message "You took too long to login.  Login process
> starting from beginning."
> 
> I know some people were complaining that you have to enter in your
> username/password twice, but IMO, there's no way around this at this
> time without reworking the auth spi significantly.  I'm not sure if it
> is even possible yet.

I think what we have now is the best trade-off considering usability and security, so IMO problem is solved now.

> 
> On 7/24/2015 3:14 AM, Stian Thorgersen wrote:
> > +1 I can't see why basically just saving the initial request from the
> > client is a problem - sounds like it would be a proper solution to the
> > problem
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 23 July, 2015 5:16:23 PM
> >> Subject: [keycloak-dev] timeouts
> >>
> >> Was thinking about this more and I think it might be ok to have a
> >> session cookie that has all the initial information needed to restore
> >> the client session and restart the login without having to redirect back
> >> to the client.  The session cookie would match up against the code query
> >> param that is passed around.  This would probably be good enough
> >> protection.  Only thing an attacker would be able to do is restart the
> >> login.
> >>
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list