Project

General

Profile

Actions

Task #636

closed

Reduce JWT token size

Added by Radek Tomiška over 7 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
High
Assignee:
Radek Tomiška
Category:
Authentication / Authorization
Target version:
Start date:
08/08/2017
Due date:
% Done:

100%

Estimated time:
Owner:

Description

JWT token size is not the edge http header size. We need to find solution to reduce it.


Related issues

Related to IdStory Identity Manager - Defect #606: IdmIdentityService.updateAuthorityChange should be thread-safeClosedRadek Tomiška07/27/2017

Actions
Related to IdStory Identity Manager - Defect #1191: Log out needs higher privilegesClosedRadek Tomiška07/24/2018

Actions
Related to IdStory Identity Manager - Task #1198: Token - extend expiration in the half onlyNewRadek Tomiška07/26/2018

Actions
Related to IdStory Identity Manager - Feature #499: Logout endpoint on backendClosedRadek Tomiška06/09/2017

Actions
Actions #1

Updated by Jan Helbich about 7 years ago

  • Assignee changed from Jan Helbich to Radek Tomiška

According to https://docs.microsoft.com/en-us/windows-hardware/customize/mobile/mcsf/custom-http-headers-for-internet-explorer, max size of a custom header for Edge is 1k. That's not much :)

The problem are the authorities in the token.
FE is not a problem here. In case the authorities are changed, the user is logged out and authorities are loaded again from new token - this can be easily replaced by adding a simple GET endpoint which returns the list of user's own authorities.
Authorities in token are used mainly for server-side caching. Otherwise it would be necessary to fetch CzechIdM authorities of the identity on every request, which is quite a lengthy task.
Therefore I think we have a few options here:
  • heavily optimize the loading of authorities (this would be nice anyway) and load on each request
  • cache authorities on the server
    • requires distributed cache :)
  • compress authorities in token with something like LZMA... (ugly)
Actions #2

Updated by Vít Švanda about 7 years ago

  • Target version deleted (Diamond (7.4.0))
Actions #3

Updated by Radek Tomiška over 6 years ago

  • Related to Defect #606: IdmIdentityService.updateAuthorityChange should be thread-safe added
Actions #4

Updated by Radek Tomiška over 6 years ago

  • Assignee changed from Radek Tomiška to Vít Švanda
  • Target version set to Lapis (8.2.0)
  • % Done changed from 0 to 90

Tokens and authorities are persisted in database now. I removed authorities from JWT token content => token size was reduced to ~ 500B and will be constant now.
I refactored mechanism with authorization changes to standard logout (~ disable user's token) - when logged user authorities are removed (assigned role was removed or role permission was removed), then users tokens are disabled.
I changed some implementation classes only, api is preserved (see JwtAuthenticationService). I executed tests for OpenAm and PasswordReset module too - they works.

Documentation:

Commit:
https://github.com/bcvsolutions/CzechIdMng/commit/440fa7761ff12fa34d2a59686711240abef8cd22

Could you do a feedback, pls?

Actions #5

Updated by Vít Švanda over 6 years ago

  • Status changed from New to Needs feedback
Actions #6

Updated by Vít Švanda over 6 years ago

  • Status changed from Needs feedback to In Progress
  • Assignee changed from Vít Švanda to Radek Tomiška

I did review and test.

That is awesome feature. I like ability to disable a identity.

I found small problems:
  • There exists protection interval for generate new token. But that interval works only once after IdmToken item is created. Then is token generated on every request.
  • After deletion some item from the IdmToken table works authentication with this token correctly (that is nice). But I expected creation new item in the IdmToken on next request (with 'deleted' token).
For discussion:
  • Token is presisted in the IdmToken table now. Token is in the plain text. This can be security issue. I suggest use some hash instead whole token. Maybe not saving the token anymore will be the simplest solution for now.
Actions #7

Updated by Radek Tomiška over 6 years ago

  • Status changed from In Progress to Needs feedback
  • Assignee changed from Radek Tomiška to Vít Švanda

Thx for feedback, specially for note about persist raw token - it was really dangerous, i didn't realize it. Token hash (sha-1) is saved now only. I fixed all three things above.

Commit: https://github.com/bcvsolutions/CzechIdMng/commit/d3978c41040c88f0c59f61e8f07e36b40a86022a

Could you do a review again please?

Actions #8

Updated by Vít Švanda over 6 years ago

  • Status changed from Needs feedback to In Progress

I did re-review and re-test.

All three previous comments works nice now. Thanks for that.

I discovered the small issue ... when I used old version of token (totaly unvalid), was user evaluated as "null". All authorities was loaded then (but on end token was evaluated as unvalid ... so this is only performence issue not security).

Actions #9

Updated by Vít Švanda over 6 years ago

  • Assignee changed from Vít Švanda to Radek Tomiška
Actions #10

Updated by Radek Tomiška over 6 years ago

  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

Thx for feedback, i fixed creating token, when no identity is given:
https://github.com/bcvsolutions/CzechIdMng/commit/a52730a05b635fb03efaec7c12bddff75b896f09

Actions #11

Updated by Radek Tomiška over 6 years ago

  • Related to Defect #1191: Log out needs higher privileges added
Actions #12

Updated by Radek Tomiška over 6 years ago

  • Related to Task #1198: Token - extend expiration in the half only added
Actions #13

Updated by Radek Tomiška over 5 years ago

Actions

Also available in: Atom PDF