[keycloak-dev] JWS sizes
mposolda at redhat.com
Wed Mar 22 04:12:09 EDT 2017
On 22/03/17 08:43, Stian Thorgersen wrote:
> It's even worse there's cases where cookie storage is limited to 2k
> per domain. Some reverse proxies have that as the default apparently.
> On 21 March 2017 at 18:57, Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
> I guess we're not going to support cookie storage anyway, but if
> yes (in
> theory) isn't it sufficient to go with Hmac-SHA256 based signature? It
> would be Keycloak server itself, which both creates and verifies
> so perhaps not a need for bigger and less performant RSA?
> Which reminds that we can probably save some performance points by
> HMAC for refresh tokens too? Since it's the Keycloak itself which
> and verifies it and from the adapter perspective, refresh token is
> an opaque string.
> +1 Good point! Can you JIRA it and set fix version to 3.3 please?
Created https://issues.jboss.org/browse/KEYCLOAK-4622 for refresh tokens.
Also created https://issues.jboss.org/browse/KEYCLOAK-4623 for client
registration tokens, which I think is a similar case. The performance
here is not so critical though, but still, I think the fix would be
pretty-easy and worth to do it IMO.
> On 21/03/17 17:25, Bill Burke wrote:
> > FYI,
> > Signature for RSA-Sha-256 for JWS is 172 bytes. The Header of
> the JWS
> > is minimally 20 extra bytes. Can be more depending on additional
> > headers (kid, typ, cty). Wanted to state these numbers as they
> > if we want to use a cookie to store session information instead of
> > within a ClientSessionModel on the auth server, or HttpSession on
> > clients/apps. Supposedly cookie storage is limited to 4k per
> domain, so
> > we're immediately starting 200 bytes (5%) in the hole.
> > Bill
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
More information about the keycloak-dev