Open mposolda opened 3 hours ago
I would also like to understand if this would affect only authentication sessions, or also also already logged in users with their user session. If this change would log-out all currently logged in users, we should try to avoid it.
Description
Can we sign the value of
AUTH_SESSION_ID
cookie to make sure that it is integrity checked?I am not sure about the performance impact of this, but hopefully can be acceptable as we can sign with symmetric key (possibly something like HMAC SHA256), which doesn't have so big overhead. This may require some changes in the cookie creation and validation and we should make sure that the cookie is validated, but it is validated just once per request (hopefully value can be cached as an attribute in
KeycloakContext
or eventuallyAuthenticationSession
itself, which is already there, but it can be nice to doublecheck the existing codebase to make sure that we don't validate signature multiple times per request, but exactly once). Anyway, we should probably test the performance of this before/after this change...Also we use the
authSessionId
in some endpoints (likeLoginActionsService
), so this might be affected too.NOTE: This change could be a concern for backwards compatibility for the cluster-like deployments, which would use the new servers (with this change) combined with the old servers (without this change). That is due the format of the cookie would be incompatible. So if we want to support zero-downtime upgrade for cluster deployments, then this change probably should not go to the micro-release, but only to the minor releases.
Discussion
No response
Motivation
No response
Details
No response