[keycloak-dev] Single-use cache for OAuth code, Code changed to be JWE

Bill Burke bburke at redhat.com
Fri Sep 29 09:32:08 EDT 2017 

Looks good.  Just worry about the size of the code JWT.

On Fri, Sep 29, 2017 at 7:59 AM, Marek Posolda <mposolda at redhat.com> wrote:
> I've sent PR https://github.com/keycloak/keycloak/pull/4512, which
> implements first part of
> https://docs.google.com/document/d/1C1vFhyGPBOnN3pprw6XPZnK08azyTm-HVIqO9dY3aTY/edit
>
> Some details:
> - Partially implemented support for JWE, so we can use encrypted JWT.
>
> - OAuth code is changed to be JWT. It's encrypted and
> integrity-protected with AES128-CBC-HMAC-SHA256 algorithm. Code is
> encrypted with realm AES key (new symmetric key generated by default for
> every realm similar to HMAC key) and signed with HMAC key.
>
> - I've added support for AES keys, so we now have RSA, HMAC and AES keys.
>
> - Code JWT doesn't yet contain much at this moment. There is just unique
> ID, userSession ID, client UUID and expiration (60 seconds). Next step
> is to add more into it, especially notes as mentioned in the docs.
>
> - Single-use cache is used to track which codes were already used. For
> now, it's reusing existing "actionTokens" infinispan cache. It's using
> "putIfAbsent" to add codes into the cache, hence now we are sure that
> the particular code is really used just once. The previous approach with
> the note on userSession didn't allow this. I've added new testcase to
> ConcurrentLoginTest for check that code is used just once. It's passing
> for cross-dc as well, however we may allow people to save some
> performance with the small possibility that same code will pass on both
> datacenters.
>
> - Now we also pass the scenario when SSO login with same client is
> opened on 2 browser tabs concurrently. Also added test to
> ConcurrentLoginTest and it's passing for cross-dc too. Previously this
> scenario may not work correctly as the "code" in the clientSession note
> may be generated concurrently by both requests and one of them will then
> fail to verify.
>
>
> Next steps:
> - Continue with the stuff described in the docs
> https://docs.google.com/document/d/1C1vFhyGPBOnN3pprw6XPZnK08azyTm-HVIqO9dY3aTY/edit
> (Remove protocolMappers and roles from clientSession etc).
>
> - It should be easy to use same stuff for refreshTokens . From what I
> see, the performance of AES128-CBC-HMAC-SHA256 is much better than RSA
> and provides the encryption too.
>
> Any comments?
>
> Marek
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



-- 
Bill Burke
Red Hat

More information about the keycloak-dev mailing list