<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Hi,<br>
<br>
could you please create JIRA for it and mark component as
"Specification - OIDC" ?<br>
<br>
I agree the current behaviour has space for improvements. There is
also one related performance issue as currently we "compute" the
PublicKey from PEM during each login of federated user. Same goes
for client authentication with signed JWT. I think we should have
some "PublicKeyCacheProvider" of public keys, which will be used
by both IdentityProviders and Clients. Also we should be able to
"retrieve" new keys from "jwks_uri" on demand when key with
corresponding "kid" is not found (currently we do it always just
when IdentityProvider config is imported, or when OIDC client is
registered).<br>
<br>
Thanks,<br>
Marek<br>
<br>
On 01/09/16 09:38, Peter Nalyvayko wrote:<br>
</div>
<blockquote
cite="mid:302658655.3824657.1472715490205@mail.yahoo.com"
type="cite">
<div style="color:#000; background-color:#fff;
font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial,
Lucida Grande, sans-serif;font-size:16px">
<div id="yui_3_16_0_ym19_1_1472712522395_3600">Hello,</div>
<div id="yui_3_16_0_ym19_1_1472712522395_3600"><br>
</div>
<div id="yui_3_16_0_ym19_1_1472712522395_3600" dir="ltr">I have
an external OIDC provider that uses multiple signing keys to
sign the id_tokens it issues. </div>
<div id="yui_3_16_0_ym19_1_1472712522395_3600" dir="ltr">According
to the OIDC spec
(<a class="moz-txt-link-freetext" href="https://openid.net/specs/openid-connect-discovery-1_0.html">https://openid.net/specs/openid-connect-discovery-1_0.html</a>),
"jwks_uri" is an "URL of the OP's JSON Web Key Set. The set
contains the signing key(s) that RP uses to validate signature
from the OP". </div>
<div id="yui_3_16_0_ym19_1_1472712522395_3600" dir="ltr">Now,
there is only a single validating public key shown on the
OIDC external provider configuration page. When importing OIDC
provider configuration using OIDC provider metadata uri,
keycloak picks the first JWK which "use" parameter value is
set to "sig". In my case, all JWKs in the JWK Set have their
"use" member set to "sig". I took a cursory look at the JWKS
spec
(<a class="moz-txt-link-freetext" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41#section-4.2">https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41#section-4.2</a>)
and based on what I've read it seems there could be more than
one key with the same "use" parameter. Shouldn't keycloak
store all signing keys instead of just one, and use the value
of the "kid" parameter from the provider's auth response to
choose a corresponding public key to do the validation?</div>
<div id="yui_3_16_0_ym19_1_1472712522395_3600" dir="ltr"><br>
</div>
<div id="yui_3_16_0_ym19_1_1472712522395_3600" dir="ltr">Regards,</div>
<div id="yui_3_16_0_ym19_1_1472712522395_3600" dir="ltr">--Peter</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<br>
</body>
</html>