Task #636
closed
Reduce JWT token size
100%
Description
JWT token size is not the edge http header size. We need to find solution to reduce it.
Related issues
Updated by Jan Helbich over 6 years ago
- Assignee changed from Jan Helbich to Radek Tomiška
According to https://docs.microsoft.com/en-us/windows-hardware/customize/mobile/mcsf/custom-http-headers-for-internet-explorer, max size of a custom header for Edge is 1k. That's not much :)
The problem are the authorities in the token.FE is not a problem here. In case the authorities are changed, the user is logged out and authorities are loaded again from new token - this can be easily replaced by adding a simple GET endpoint which returns the list of user's own authorities.
Authorities in token are used mainly for server-side caching. Otherwise it would be necessary to fetch CzechIdM authorities of the identity on every request, which is quite a lengthy task.
Therefore I think we have a few options here:
- heavily optimize the loading of authorities (this would be nice anyway) and load on each request
- cache authorities on the server
- requires distributed cache :)
- compress authorities in token with something like LZMA... (ugly)
Updated by Radek Tomiška almost 6 years ago
- Related to Defect #606: IdmIdentityService.updateAuthorityChange should be thread-safe added
Updated by Radek Tomiška almost 6 years ago
- Assignee changed from Radek Tomiška to Vít Švanda
- Target version set to Lapis (8.2.0)
- % Done changed from 0 to 90
Tokens and authorities are persisted in database now. I removed authorities from JWT token content => token size was reduced to ~ 500B and will be constant now.
I refactored mechanism with authorization changes to standard logout (~ disable user's token) - when logged user authorities are removed (assigned role was removed or role permission was removed), then users tokens are disabled.
I changed some implementation classes only, api is preserved (see JwtAuthenticationService). I executed tests for OpenAm and PasswordReset module too - they works.
- https://wiki.czechidm.com/devel/documentation/security/dev/authentication
- https://wiki.czechidm.com/devel/documentation/security#authorization_and_jwt_token
- https://wiki.czechidm.com/devel/documentation/security/dev/security#api_endpoints
- https://github.com/bcvsolutions/CzechIdMng/blob/rtomiska/token/CHANGELOG.md
Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/440fa7761ff12fa34d2a59686711240abef8cd22
Could you do a feedback, pls?
Updated by Vít Švanda almost 6 years ago
- Status changed from New to Needs feedback
Updated by Vít Švanda almost 6 years ago
- Status changed from Needs feedback to In Progress
- Assignee changed from Vít Švanda to Radek Tomiška
I did review and test.
That is awesome feature. I like ability to disable a identity.
I found small problems:- There exists protection interval for generate new token. But that interval works only once after IdmToken item is created. Then is token generated on every request.
- After deletion some item from the IdmToken table works authentication with this token correctly (that is nice). But I expected creation new item in the IdmToken on next request (with 'deleted' token).
- Token is presisted in the IdmToken table now. Token is in the plain text. This can be security issue. I suggest use some hash instead whole token. Maybe not saving the token anymore will be the simplest solution for now.
Updated by Radek Tomiška almost 6 years ago
- Status changed from In Progress to Needs feedback
- Assignee changed from Radek Tomiška to Vít Švanda
Thx for feedback, specially for note about persist raw token - it was really dangerous, i didn't realize it. Token hash (sha-1) is saved now only. I fixed all three things above.
Commit: https://github.com/bcvsolutions/CzechIdMng/commit/d3978c41040c88f0c59f61e8f07e36b40a86022a
Could you do a review again please?
Updated by Vít Švanda almost 6 years ago
- Status changed from Needs feedback to In Progress
I did re-review and re-test.
All three previous comments works nice now. Thanks for that.
I discovered the small issue ... when I used old version of token (totaly unvalid), was user evaluated as "null". All authorities was loaded then (but on end token was evaluated as unvalid ... so this is only performence issue not security).
Updated by Vít Švanda almost 6 years ago
- Assignee changed from Vít Švanda to Radek Tomiška
Updated by Radek Tomiška almost 6 years ago
- Status changed from In Progress to Closed
- % Done changed from 90 to 100
Thx for feedback, i fixed creating token, when no identity is given:
https://github.com/bcvsolutions/CzechIdMng/commit/a52730a05b635fb03efaec7c12bddff75b896f09
Updated by Radek Tomiška over 5 years ago
- Related to Defect #1191: Log out needs higher privileges added
Updated by Radek Tomiška over 5 years ago
- Related to Task #1198: Token - extend expiration in the half only added
Updated by Radek Tomiška over 4 years ago
- Related to Feature #499: Logout endpoint on backend added