[keycloak-dev] JWS sizes

Marek Posolda mposolda at redhat.com
Wed Mar 22 04:12:09 EDT 2017 

On 22/03/17 08:43, Stian Thorgersen wrote:
> It's even worse there's cases where cookie storage is limited to 2k 
> per domain. Some reverse proxies have that as the default apparently.
>
> On 21 March 2017 at 18:57, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I guess we're not going to support cookie storage anyway, but if
>     yes (in
>     theory) isn't it sufficient to go with Hmac-SHA256 based signature? It
>     would be Keycloak server itself, which both creates and verifies
>     cookie,
>     so perhaps not a need for bigger and less performant RSA?
>
>     Which reminds that we can probably save some performance points by
>     using
>     HMAC for refresh tokens too? Since it's the Keycloak itself which
>     signs
>     and verifies it and from the adapter perspective, refresh token is
>     just
>     an opaque string.
>
>
> +1 Good point! Can you JIRA it and set fix version to 3.3 please?
Created https://issues.jboss.org/browse/KEYCLOAK-4622 for refresh tokens.

Also created https://issues.jboss.org/browse/KEYCLOAK-4623 for client 
registration tokens, which I think is a similar case. The performance 
here is not so critical though, but still, I think the fix would be 
pretty-easy and worth to do it IMO.

Marek
>
>
>     Marek
>
>     On 21/03/17 17:25, Bill Burke wrote:
>     > FYI,
>     >
>     > Signature for RSA-Sha-256 for JWS is 172 bytes. The Header of
>     the JWS
>     > is minimally 20 extra bytes.  Can be more depending on additional
>     > headers (kid, typ, cty).  Wanted to state these numbers as they
>     effect
>     > if we want to use a cookie to store session information instead of
>     > within a ClientSessionModel on the auth server, or HttpSession on
>     > clients/apps.  Supposedly cookie storage is limited to 4k per
>     domain, so
>     > we're immediately starting 200 bytes (5%) in the hole.
>     >
>     > Bill
>     >
>     > _______________________________________________
>     > keycloak-dev mailing list
>     > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
>
>

More information about the keycloak-dev mailing list