mirror/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-05-07 23:50:03 -05:00
Code Issues Packages Projects Releases Wiki Activity

Sign AUTH_SESSION_ID cookie (#35297)

Browse Source 
closes #34027

Signed-off-by: Giuseppe Graziano <g.graziano94@gmail.com>
This commit is contained in:
Giuseppe Graziano
2024-11-28 17:28:52 +01:00
committed by GitHub
parent 94fa14b868
commit a659c8d1cb
9 changed files with 138 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/documentation/upgrading/topics/changes/changes-26_1_0.adoc
+8 -5
View File
@@ -57,11 +57,14 @@ Users should use the TCP based `jdbc-ping` stack as a direct replacement.
When developing extensions for {project_name}, developers can now specify dependencies between provider factories classes by implementing the method `dependsOn()` in the `ProviderFactory` interface.
See the Javadoc for a detailed description.
= Updated format of KEYCLOAK_SESSION cookie
= Updated format of KEYCLOAK_SESSION cookie and AUTH_SESSION_ID cookie
The format of `KEYCLOAK_SESSION` cookie was slightly updated to not contain any private data in plain text. Until now, the format of the cookie was `realmName/userId/userSessionId`. Now the cookie
contains user session ID, which is hashed by SHA-256 and URL encoded. This can affect you just in case when implementing your own providers and relying on the format of internal {project_name}
cookies.
The format of `KEYCLOAK_SESSION` cookie was slightly updated to not contain any private data in plain text. Until now, the format of the cookie was `realmName/userId/userSessionId`. Now the cookie contains user session ID, which is hashed by SHA-256 and URL encoded.
The format of `AUTH_SESSION_ID` cookie was updated to include a signature of the auth session id to ensure its integrity through signature verification. The new format is `base64(auth_session_id.auth_session_id_signature)`. With this update, the old format will no longer be accepted, meaning that old auth sessions will no longer be valid. This change has no impact on user sessions.
These changes can affect you just in case when implementing your own providers and relying on the format of internal Keycloak cookies.
= Removal of robots.txt file
@@ -88,4 +91,4 @@ expect the database schema being updated to add a new column `DETAILS_JSON` to t
The key providers that allow to import externally generated keys (`rsa` and `java-keystore` factories) now check the validity of the associated certificate if present. Therefore a key with a certificate that is expired cannot be imported in {project_name} anymore. If the certificate expires at runtime, the key is converted into a passive key (enabled but not active). A passive key is not used for new tokens, but it is still valid for validating previous issued tokens.
The default `generated` key providers generate a certificate valid for 10 years (the types that have or can have an associated certificate). Because of the long validity and the recommendation to rotate keys frequently, the generated providers do not perform this check.
The default `generated` key providers generate a certificate valid for 10 years (the types that have or can have an associated certificate). Because of the long validity and the recommendation to rotate keys frequently, the generated providers do not perform this check.