Skip to content

Commit

Permalink
Merge pull request #444 from DuendeSoftware/joe/refererence-token-keys
Browse files Browse the repository at this point in the history
Add detail about reference token keys and handles
  • Loading branch information
brockallen authored Mar 8, 2024
2 parents 3f231b0 + 78f2a28 commit 9dc9550
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion IdentityServer/v7/docs/content/tokens/reference.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,7 @@ The introspection endpoint requires authentication - since the client of an intr
ApiSecrets = { new Secret("secret".Sha256()) }
Scopes = { "read", "write" }
}
```
```

## Store Keys and Handles
Reference tokens have a key, which is an internal identifier used in the data store, and a handle, which is an external value that is given to the client and never stored. The handle is 32 bytes of cryptographically strong random data encoded as a hex string with a suffix to indicate the encoding ("-1"). This is the value that clients use as the access token. The handle, plus additional metadata indicating the type of grant, is hashed with the SHA-256 algorithm to produce the key. When IdentityServer is presented with a handle, it recomputes the key in order to retrieve the persisted grant record for the reference token. The intention of this separation of key and handle is that read access to the store will not reveal sensitive data. An attacker could read the keys in the data store, but those keys were produced using a one-way hash, so the attacker would not be able to use the keys to recover the handles (the actual access tokens).

0 comments on commit 9dc9550

Please sign in to comment.