On Fri, Nov 17, 2017 at 7:08 PM, Farasath Ahamed <farasa...@wso2.com> wrote:
> > > Farasath Ahamed > Software Engineer, WSO2 Inc.; http://wso2.com > Mobile: +94777603866 > Blog: blog.farazath.com > Twitter: @farazath619 <https://twitter.com/farazath619> > <http://wso2.com/signature> > > > > On Fri, Nov 17, 2017 at 6:48 PM, Johann Nallathamby <joh...@wso2.com> > wrote: > >> >> >> On Fri, Nov 17, 2017 at 6:39 PM, Malithi Edirisinghe <malit...@wso2.com> >> wrote: >> >>> >>> >>> On Fri, Nov 17, 2017 at 6:12 PM, Johann Nallathamby <joh...@wso2.com> >>> wrote: >>> >>>> Hi Farasath, >>>> >>>> On Fri, Nov 17, 2017 at 5:35 PM, Farasath Ahamed <farasa...@wso2.com> >>>> wrote: >>>> >>>>> >>>>> On Fri, Nov 17, 2017 at 3:23 PM, Johann Nallathamby <joh...@wso2.com> >>>>> wrote: >>>>> >>>>>> Self contained JWT's may get quite large and if we set it as the >>>>>> default size in the script, for users who are not using self contained >>>>>> JWT >>>>>> also it is going to consume large space in the database. >>>>>> >>>>>> Did we think about storing a hash of the access token? >>>>>> >>>>> >>>>> As pointed out by Johann JWT can grow large with requested claims etc. >>>>> so changing the column size can happen as soon as the JWT exceeds the >>>>> defined length, >>>>> >>>>> Therefore, We had few discussions offline on options to resolve this. >>>>> >>>>> 1. User a different data type like BLOB/TEXT to store the JWT access >>>>> token and store a hash to improve search. In this approach we will avoid >>>>> the SQL error, but there will be performance drop for normal UUID based >>>>> access tokens. >>>>> >>>> >>>> May be we can introduce a config to say whether we need to hash or not. >>>> >>>> >>>>> >>>>> 2. Not store the self contained access token in the database at >>>>> all[1]. Since by definition the self contained access token has all the >>>>> necessary data to validate it we can validate the token on IS during >>>>> introspection. Ideally, the idea behind the self contained access token is >>>>> to avoid introspection. But if required we can do it using the presented >>>>> the JWT itself.(This is how client will validate the access token >>>>> anyways). >>>>> Downfall of this approach is that we cannot revoke the token since we >>>>> don't anyway keep any reference to the issued token. >>>>> >>>> >>>> We can use the "jti" claim of the JWT as the reference and use it to >>>> manage the token in IS. >>>> >>> >>> So I think you meant that we don't need to persist the self contained >>> access token at all (even the hash) and use an identifier to reference the >>> token issued. And that reference will be returned with the JWT as 'jti' >>> claim. >>> >> >> Yes >> > > So we can store the jti as the access_token in the IDN_ACCESS_TOKEN table. > Is my understanding correct? > Yes :) > > >> >> >>> >>> >>>> >>>> Regards, >>>> Johann. >>>> >>>> >>>>> >>>>> [1] https://www.oauth.com/oauth2-servers/access-tokens/self- >>>>> encoded-access-tokens/ >>>>> <https://www.google.com/url?q=https%3A%2F%2Fwww.oauth.com%2Foauth2-servers%2Faccess-tokens%2Fself-encoded-access-tokens%2F&sa=D&sntz=1&usg=AFQjCNF5pHN-sGoIgbANyG1WpbRC-dZfSA> >>>>> >>>>> >>>>> Appreciate your thoughts! >>>>> >>>>> >>>>> >>>>>> >>>>>> On Fri, Nov 17, 2017 at 3:06 PM, Isura Karunaratne <is...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Nov 17, 2017 at 1:35 PM, Isura Karunaratne <is...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> Currently, ACCESS_TOKEN column length is defined as 512 [1] which >>>>>>>> is not enough to store self-contained access token [2]. >>>>>>>> >>>>>>>> Shall we increase the column size by default? >>>>>>>> >>>>>>>> Thanks >>>>>>>> Isura. >>>>>>>> >>>>>>>> >>>>>>>> [1] >>>>>>>> CREATE TABLE IF NOT EXISTS IDN_OAUTH2_ACCESS_TOKEN ( >>>>>>>> TOKEN_ID VARCHAR (255), >>>>>>>> ACCESS_TOKEN VARCHAR(512), >>>>>>>> REFRESH_TOKEN VARCHAR(512), >>>>>>>> CONSUMER_KEY_ID INTEGER, >>>>>>>> AUTHZ_USER VARCHAR (100), >>>>>>>> TENANT_ID INTEGER, >>>>>>>> USER_DOMAIN VARCHAR(50), >>>>>>>> USER_TYPE VARCHAR (25), >>>>>>>> GRANT_TYPE VARCHAR (50), >>>>>>>> TIME_CREATED TIMESTAMP DEFAULT 0, >>>>>>>> REFRESH_TOKEN_TIME_CREATED TIMESTAMP DEFAULT 0, >>>>>>>> VALIDITY_PERIOD BIGINT, >>>>>>>> REFRESH_TOKEN_VALIDITY_PERIOD BIGINT, >>>>>>>> TOKEN_SCOPE_HASH VARCHAR(32), >>>>>>>> TOKEN_STATE VARCHAR(25) DEFAULT 'ACTIVE', >>>>>>>> TOKEN_STATE_ID VARCHAR (128) DEFAULT 'NONE', >>>>>>>> SUBJECT_IDENTIFIER VARCHAR(255), >>>>>>>> PRIMARY KEY (TOKEN_ID), >>>>>>>> FOREIGN KEY (CONSUMER_KEY_ID) REFERENCES >>>>>>>> IDN_OAUTH_CONSUMER_APPS(ID) ON DELETE CASCADE, >>>>>>>> CONSTRAINT CON_APP_KEY UNIQUE >>>>>>>> (CONSUMER_KEY_ID,AUTHZ_USER,TENANT_ID,USER_DOMAIN,USER_TYPE, >>>>>>>> TOKEN_SCOPE_HASH, >>>>>>>> >>>>>>>> TOKEN_STATE,TOKEN_STATE_ID) >>>>>>>> >>>>>>>> >>>>>>>> [2] https://wso2.org/jira/browse/IDENTITY-6917 >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Isura Dilhara Karunaratne* >>>>>>>> Associate Technical Lead | WSO2 >>>>>>>> Email: is...@wso2.com >>>>>>>> Mob : +94 772 254 810 <+94%2077%20225%204810> >>>>>>>> Blog : http://isurad.blogspot.com/ >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Isura Dilhara Karunaratne* >>>>>>> Associate Technical Lead | WSO2 >>>>>>> Email: is...@wso2.com >>>>>>> Mob : +94 772 254 810 <+94%2077%20225%204810> >>>>>>> Blog : http://isurad.blogspot.com/ >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> >>>>>> *Johann Dilantha Nallathamby* >>>>>> Senior Lead Solutions Engineer >>>>>> WSO2, Inc. >>>>>> lean.enterprise.middleware >>>>>> >>>>>> Mobile - *+94777776950* >>>>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> >>>> *Johann Dilantha Nallathamby* >>>> Senior Lead Solutions Engineer >>>> WSO2, Inc. >>>> lean.enterprise.middleware >>>> >>>> Mobile - *+94777776950* >>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>>> >>> >>> >>> >>> -- >>> >>> *Malithi Edirisinghe* >>> Associate Technical Lead >>> WSO2 Inc. >>> >>> Mobile : +94 (0) 718176807 >>> malit...@wso2.com >>> >> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Senior Lead Solutions Engineer >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> > > -- Thanks & Regards, *Johann Dilantha Nallathamby* Senior Lead Solutions Engineer WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
