[keycloak-dev] ECDSA support for Keycloak

Stian Thorgersen sthorger at redhat.com
Fri Jul 7 07:35:20 EDT 2017

ECDSA would be a great addition as there should be significant performance
improvements over RSA.

First thing is we have our own internal utils for signing that relies on
BouncyCastle and we would not accept a dependency on "nimbus-jose-jwt". Due
to our productization process for RH-SSO we do not easily accept adding new
third party dependencies and in this case it's completely pointless as we
already have the equivalent libraries internally.

To add ECDSA support there is a fair bit of work needed:

1. Add key provider implementations. We'd need providers that correspond to
the ones we have for RSA (upload keys, generated keys, etc.)
2. Add option to realm (to set default realm signing algorithm) and clients
to be able to override the algorithm to use
3. Update internal signing libraries on the server side to use correct
algorithm according to 1
4. Update adapters to support ECDSA signatures - this includes Java and
Node.js adapters
5. Loads of testing
6. Documentation updates

That's at least what I can think of at the top of my head.

On 7 July 2017 at 12:50, Kishan Sagathiya <kishansagathiya at gmail.com> wrote:

> Hey,
> We are trying to develop ECDSA support for Keycloak.
> I have already written a ECDSAProvider and I am using nimbus-jose-jwt
> library. Though, I am not sure how to proceed forward. How to add an option
> in keycloak console to add a ECDSA key, etc.
> If anyone can help me with this, that would be great.
> -Kishan Sagathiya
> <https://mailtrack.io/> Sent with Mailtrack
> <https://mailtrack.io/install?source=signature&lang=en&
> referral=kishansagathiya at gmail.com&idSignature=22>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

More information about the keycloak-dev mailing list