[keycloak-dev] JWS sizes
Stian Thorgersen
sthorger at redhat.com
Wed Mar 22 03:43:40 EDT 2017
It's even worse there's cases where cookie storage is limited to 2k per
domain. Some reverse proxies have that as the default apparently.
On 21 March 2017 at 18:57, Marek Posolda <mposolda at redhat.com> wrote:
> I guess we're not going to support cookie storage anyway, but if yes (in
> theory) isn't it sufficient to go with Hmac-SHA256 based signature? It
> would be Keycloak server itself, which both creates and verifies cookie,
> so perhaps not a need for bigger and less performant RSA?
>
> Which reminds that we can probably save some performance points by using
> HMAC for refresh tokens too? Since it's the Keycloak itself which signs
> and verifies it and from the adapter perspective, refresh token is just
> an opaque string.
>
+1 Good point! Can you JIRA it and set fix version to 3.3 please?
>
> Marek
>
> On 21/03/17 17:25, Bill Burke wrote:
> > FYI,
> >
> > Signature for RSA-Sha-256 for JWS is 172 bytes. The Header of the JWS
> > is minimally 20 extra bytes. Can be more depending on additional
> > headers (kid, typ, cty). Wanted to state these numbers as they effect
> > if we want to use a cookie to store session information instead of
> > within a ClientSessionModel on the auth server, or HttpSession on
> > clients/apps. Supposedly cookie storage is limited to 4k per domain, so
> > we're immediately starting 200 bytes (5%) in the hole.
> >
> > Bill
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list