[keycloak-dev] application session state update

Marek Posolda mposolda at redhat.com
Tue Mar 31 04:02:36 EDT 2015


On 31.3.2015 09:33, Stian Thorgersen wrote:
>
> ----- Original Message -----
>> From: "Bastian Ike" <bastian.ike at aoe.com>
>> To: "Marek Posolda" <mposolda at redhat.com>, "Sebastian Rose" <sebastian.rose at aoe.com>, keycloak-dev at lists.jboss.org
>> Sent: Tuesday, 31 March, 2015 9:24:09 AM
>> Subject: Re: [keycloak-dev] application session state update
>>
>> Hi guys,
>>
>> We're connecting Magento with Keycloak, and the SID is regenerated after
>> every change of the login status to prevent session fixation attacks where
>> attackers might be able to enforce a session id or observe a session id
>> prior to authentication and can later access useraccounts by requesting
>> private resources using these session ids.
>>
>> SID refreshs are a common way to prevent this kind of issues and to ensure
>> that no old SID's are leaked and cannot be enforced or predicted.
> I don't think this is relevant to this discussion, but in either case that's not an issue in Keycloak. The session id in Keycloak is just a reference to a specific user session and only valid for the lifetime of the session (it's also a UUID so is not predictable). Having the knowledge of a session id doesn't provide an attacker with anything more than say a username, it's just a reference.
That's actually related to the application session (kind of HttpSession 
ID in web application secured by keycloak). We can add support for 
changing application_session_state in refreshToken endpoint instead of 
introducing separate endpoint. Will it be sufficient for your usecase?

Marek
>
>>
>> Regards, Bastian
>>
>>
>> Von: Marek Posolda < mposolda at redhat.com >
>> Datum: Mon, 30 Mar 2015 23:00:03 +0200
>> An: Sebastian Rose < sebastian.rose at aoe.com >, " keycloak-dev at lists.jboss.org
>> " < keycloak-dev at lists.jboss.org >
>> Betreff: Re: [keycloak-dev] application session state update
>>
>> On 27.3.2015 17:22, Sebastian Rose wrote:
>>
>>
>>
>>
>>
>> Hi everyone,
>>
>>
>>
>> The endpoint /auth/realms/<realm>/protocol/openid-connect/access/codes has a
>> parameter for the session id of a secured application (adapters use it):
>> application_session_state. The Endpoint
>> /auth/realms/<realm>/protocol/openid-connect/refresh has not. At least this
>> is what i saw within the code. Sorry, if it's there.
>>
>>
>>
>> We have integrated our own application a la adapter, using these two url's
>> and it's working fine. Our application completes the login via the first
>> endpoint and changes it's session id after the successful login. This means
>> when a logout event is send to our application, the old session id is used.
>> So you're not using servlet API but something completely different? Which
>> framework are you using? Just curious about your usecase as in normal
>> servlet application the HttpSession ID is same for the whole life of user
>> interaction and doesn't need to be changed after authentication (or during
>> refresh).
>>
>> Marek
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> So i'm asking if it makes sense to you to have the same parameter for the
>> refresh-url to cover our requirement or to integrate an
>> application_session_state update endpoint to add/delete/update
>> additional/new session id's.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Best Regrads
>>
>> Sebastian
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev



More information about the keycloak-dev mailing list