[keycloak-dev] JWS sizes

Stian Thorgersen sthorger at redhat.com
Wed Mar 22 04:42:22 EDT 2017 

We also need to make sure action tokens use HMAC

On 22 March 2017 at 09:12, Marek Posolda <mposolda at redhat.com> wrote:

> On 22/03/17 08:43, Stian Thorgersen wrote:
>
> It's even worse there's cases where cookie storage is limited to 2k per
> domain. Some reverse proxies have that as the default apparently.
>
> On 21 March 2017 at 18:57, Marek Posolda <mposolda at redhat.com> wrote:
>
>> I guess we're not going to support cookie storage anyway, but if yes (in
>> theory) isn't it sufficient to go with Hmac-SHA256 based signature? It
>> would be Keycloak server itself, which both creates and verifies cookie,
>> so perhaps not a need for bigger and less performant RSA?
>>
>> Which reminds that we can probably save some performance points by using
>> HMAC for refresh tokens too? Since it's the Keycloak itself which signs
>> and verifies it and from the adapter perspective, refresh token is just
>> an opaque string.
>>
>
> +1 Good point! Can you JIRA it and set fix version to 3.3 please?
>
> Created https://issues.jboss.org/browse/KEYCLOAK-4622 for refresh tokens.
>
> Also created https://issues.jboss.org/browse/KEYCLOAK-4623 for client
> registration tokens, which I think is a similar case. The performance here
> is not so critical though, but still, I think the fix would be pretty-easy
> and worth to do it IMO.
>
> Marek
>
>
>
>>
>> Marek
>>
>> On 21/03/17 17:25, Bill Burke wrote:
>> > FYI,
>> >
>> > Signature for RSA-Sha-256 for JWS is 172 bytes.  The Header of the JWS
>> > is minimally 20 extra bytes.  Can be more depending on additional
>> > headers (kid, typ, cty).  Wanted to state these numbers as they effect
>> > if we want to use a cookie to store session information instead of
>> > within a ClientSessionModel on the auth server, or HttpSession on
>> > clients/apps.  Supposedly cookie storage is limited to 4k per domain, so
>> > we're immediately starting 200 bytes (5%) in the hole.
>> >
>> > Bill
>> >
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
>

More information about the keycloak-dev mailing list