[keycloak-dev] Keep client private keys in Keycloak DB?
Marek Posolda
mposolda at redhat.com
Tue Aug 11 04:55:09 EDT 2015
For the client authentication with signed JWT, I am wondering if we
should keep client private key in Keycloak DB?
TBH I am more keen to not keep the copies, but just the certificate with
public key, so the private key is owned exclusively by client and saved
just on client side. Looks better to me from security perspective and
that's how Google is doing it -
https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
But now I notice that for the SAML clients, we keep the private keys in
Keycloak DB (the private key for sign SAML requests or the private key,
which client needs to verify SAML assertions encrypted by it's public
key). Is it ok from the security perspective?
Marek
More information about the keycloak-dev
mailing list