Replies: 1 comment
-
|
Sent a PR for this here: #8493 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
When a client secret is generated today it is an UUID:
keycloak/server-spi-private/src/main/java/org/keycloak/models/utils/KeycloakModelUtils.java
Lines 159 to 163 in 10e4253
keycloak/server-spi/src/main/java/org/keycloak/models/UserCredentialModel.java
Lines 125 to 127 in 10e4253
UUIDs are more expensive to generate, and also have less entropy than a fully randomly generated secret.
One issue with using SecureRandom directly is that it returns a byte array that has to be encoded in order to be used as a secret, for example with base64. However, it just happens to be that there is a utility class in Keycloak that can already generate a random string with a specified character set that removes the need to encode the secret:
keycloak/common/src/main/java/org/keycloak/common/util/RandomString.java
Lines 51 to 53 in 10e4253
For client secrets the proposal is to use a 32 character long randomly generated string using a-zA-Z0-9 as the character set (as the default is for the RandomString utility class).
Using special characters in addition would increase the entropy for a generated secret, but at the other hand it would make it harder to copy/paste secrets.
Entropy for different approaches:
For usability it would be better to increase the length rather than including special characters. However, 32 characters is more than sufficient.
Beta Was this translation helpful? Give feedback.
All reactions