[keycloak-dev] Cross-DC and codeToToken request

Stian Thorgersen sthorger at redhat.com
Wed May 24 00:25:06 EDT 2017


I meant if we are planning to change it. I don't see why it would need to
contain actual claims, but rather could it not just contain the details to
generate the claims?

On 23 May 2017 at 21:43, Marek Posolda <mposolda at redhat.com> wrote:

> Nope, right now OAuth code just references userSession and client. ATM
> code itself is not JWT.
>
> Marek
>
>
> On 23/05/17 14:55, Stian Thorgersen wrote:
>
> Marek - are we not just storing the details we need to know what mappers
> to invoke? There's no actually claims in there right?
>
> On 23 May 2017 at 12:29, Schuster Sebastian (INST/ESY1) <
> Sebastian.Schuster at bosch-si.com> wrote:
>
>> Another argument against providing claims in the code is that it can be
>> stolen by rogue mobile apps and PKCE does not help here as it only prevents
>> using stolen codes. Encrypting the code could help, but this might also
>> have impact on code size. Maybe it is best to first try the on-demand
>> replication approach and see if it nails it before introducing another
>> configuration switch that could be set wrong and the associated code?
>>
>> Best regards,
>> Sebastian
>>
>> Mit freundlichen Grüßen / Best regards
>>
>>  Sebastian Schuster
>>
>> Engineering and Support (INST/ESY1)
>> Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin
>> | GERMANY | www.bosch-si.com
>> Tel. +49 30 726112-485 | Fax +49 30 726112-100 |
>> Sebastian.Schuster at bosch-si.com
>>
>> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
>> Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn
>>
>>
>>
>>
>> > -----Original Message-----
>> > From: keycloak-dev-bounces at lists.jboss.org [mailto:keycloak-dev-
>> > bounces at lists.jboss.org] On Behalf Of Marek Posolda
>> > Sent: Dienstag, 23. Mai 2017 10:41
>> > To: Bill Burke <bburke at redhat.com>; keycloak-dev at lists.jboss.org
>> > Subject: Re: [keycloak-dev] Cross-DC and codeToToken request
>> >
>> > On 22/05/17 15:16, Bill Burke wrote:
>> > >>> 4) Is it ok to have option to relax on code one-time use? Otherwise
>> > >>> in cross-DC and without sticky session, the every code exchange may
>> > >>> require SYNC request to another DCs to doublecheck code was not used
>> > already.
>> > >>> Not good for performance..
>> > >>>
>> > >> Maybe this is OK. Confidential apps needs credentials and then
>> > >> there's Proof Key for Code Exchange for public clients. Although the
>> > >> latter may be another issue in cross-DC?
>> > >>
>> > >>
>> > >>> For now, I can see some combination of 1,3,4 as a way to go. WDYT?
>> > >>> Marek
>> > > I think 1 and 4 will hobble us for future things we want to do.
>> >
>> > Ok, I understand 1 may be problematic for some scenarios and won't do
>> it. But
>> > what exactly is a blocker for relax on code one-time use?
>> >
>> > I am thinking that code will be still single-use by default as it's
>> required per
>> > OAuth2/OIDC specs. However admins, who prefer performance over
>> security, may
>> > choose to relax strict code one-time use. This may be new option - not
>> sure
>> > whether configurable per realm or per client. I can see it's likely ok
>> in some
>> > environments (private corporate networks
>> > etc) ?
>> >
>> > Marek
>> >
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
>


More information about the keycloak-dev mailing list