keycloak-scim/server_admin/topics/threat/compromised-codes.adoc


=== Compromised Authorization Code

For the xref:con-oidc-auth-flows_{context}[OIDC Auth Code Flow], it would be very hard for an attacker to compromise {project_name} authorization codes.
{project_name} generates a cryptographically strong random value for its authorization codes so it would be very hard to guess an access token.
An authorization code can only be used once to obtain an access token.
In the admin console you can specify how long an authorization code is valid for on the <<_timeouts, timeouts page>>.
This value should be really short, as short as a few seconds and just long enough for the client to make the request to obtain a token from the code.

You can also mitigate against leaked autorization codes by applying PKCE to clients. See <<_proof-key-for-code-exchange, Proof Key for Code Exchange (PKCE)>> to learn how.
threat 2016-05-31 22:00:59 +00:00
Fixed typo in Compromised Access Codes of Server Administration Guide 2017-04-03 06:15:12 +00:00			`=== Compromised Authorization Code`
threat 2016-05-31 22:00:59 +00:00
KEYCLOAK-16234 initial commit (#41) * Fix Users TOC * KEYCLOAK-16234 initial commit * Modularization * messing * removes duplicate module calls * Post feedback changes Co-authored-by: Andy Munro <amunro@redhat.com> 2020-12-16 17:20:41 +00:00			`For the xref:con-oidc-auth-flows_{context}[OIDC Auth Code Flow], it would be very hard for an attacker to compromise {project_name} authorization codes.`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`{project_name} generates a cryptographically strong random value for its authorization codes so it would be very hard to guess an access token.`
Fixed typo in Compromised Access Codes of Server Administration Guide 2017-04-03 06:15:12 +00:00			`An authorization code can only be used once to obtain an access token.`
Convert documentation to AsciiDoctor 2017-08-28 12:50:14 +00:00			`In the admin console you can specify how long an authorization code is valid for on the <<_timeouts, timeouts page>>.`
threat 2016-05-31 22:00:59 +00:00			`This value should be really short, as short as a few seconds and just long enough for the client to make the request to obtain a token from the code.`

KEYCLOAK-10747 Explicit Proof Key for Code Exchange Activation Settings 2019-07-03 00:39:14 +00:00			`You can also mitigate against leaked autorization codes by applying PKCE to clients. See <<_proof-key-for-code-exchange, Proof Key for Code Exchange (PKCE)>> to learn how.`