keycloak-scim/topics/threat/compromised-codes.adoc


=== Compromised Access Codes

For the <<fake/../../sso-protocols/oidc.adoc#_oidc-auth-flows, OIDC Auth Code Flow>>, it would be very hard for an attacker to compromise {{book.project.name}} access codes.
{{book.project.name}} generates a cryptographically strong random value for its access codes so it would be very hard to guess an access token.
An access code can only be used once to obtain an access token.
In the admin console you can specify how long an access token is valid for on the <<fake/../../sessions/timeouts.adoc#_timeouts, timeouts page>>.
This value should be really short, as short as a few seconds and just long enough for the client to make the request to obtain a token from the code.
threat 2016-05-31 22:00:59 +00:00
			`=== Compromised Access Codes`

Minor changes for threat model chapter. 2016-06-07 19:02:18 +00:00			`For the <<fake/../../sso-protocols/oidc.adoc#_oidc-auth-flows, OIDC Auth Code Flow>>, it would be very hard for an attacker to compromise {{book.project.name}} access codes.`
threat 2016-05-31 22:00:59 +00:00			`{{book.project.name}} generates a cryptographically strong random value for its access codes so it would be very hard to guess an access token.`
			`An access code can only be used once to obtain an access token.`
			`In the admin console you can specify how long an access token is valid for on the <<fake/../../sessions/timeouts.adoc#_timeouts, timeouts page>>.`
			`This value should be really short, as short as a few seconds and just long enough for the client to make the request to obtain a token from the code.`