[keycloak-dev] Realm key pair
Bill Burke
bburke at redhat.com
Thu Apr 3 18:06:30 EDT 2014
The keypair is not someting specific to a realm-client. It is specific
to the realm. The realm signs all access tokens for all clients with
its private key. Currently we do not support a shared secret, only PKI.
And we'll probably only support PKI unless there is a popular client
which can't support it.
On 4/3/2014 10:32 AM, Bruno Oliveira wrote:
> I see. I was just wondering if is possible to avoid the key pair exposition and if the idea is valid. For our clients, establish a key agreement (ECDH for example) and use the shared key to sign JSON[1].
>
> Does it make sense?
>
> [1] - http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#section-4.6.1
>
> --
> abstractj
>
> On April 2, 2014 at 4:27:29 PM, Bill Burke (bburke at redhat.com) wrote:
>>> Not sure what you mean. The keypair is for the realm. When you
>> create
>> a realm this keypair is automatically generated. The only reason
>> it
>> exists in the example imported json files is so that the example
>> adapter
>> configs can run out of the box.
>
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-dev
mailing list