[keycloak-dev] JWS signatures using PS256 or ES256 algorithms for signing
Stian Thorgersen
sthorger at redhat.com
Tue Jun 26 12:25:15 EDT 2018
I don't really like the idea of having to reconfigure to make the adapter
accept new signature. I know oidc well known endpoint doesn't have
signature algorithm for access token, but we could add one and have
adapters pull from the server what algorithms to accept.
On Tue, 26 Jun 2018, 11:00 Marek Posolda, <mposolda at redhat.com> wrote:
> On 30/05/18 09:35, Stian Thorgersen wrote:
>
> I think it might be better to determine which kind of Token Signature
> Provider be used by not parsing JWS, for example, looking up Client or
> Realm settings.
> This PR might have impacts on keycloak's performance because it has parsed
> JWS to determine it every time keycloak receives JWS Token.
>
>
> On the server-side that is easy. On the adapter side that would probably
> require adding a property to keycloak.json to set the algorithm. In either
> case it should probably default to RSA for existing realms at least, but we
> could consider setting it to ES256 for new realms.
>
>
> +1
>
> Parsing token signature to determine algorithm should be avoided IMO.
> AFAIR Some OAuth/OIDC vendors had security issues in the past, that they
> parsed the header with "none" algorithm and then client applications
> automatically trust unsigned tokens. We should make sure this is not
> possible.
>
> Marek
>
More information about the keycloak-dev
mailing list