<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On 12 September 2016 at 21:49, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I've sent PR <a href="https://github.com/keycloak/keycloak/pull/3228" rel="noreferrer" target="_blank">https://github.com/keycloak/<wbr>keycloak/pull/3228</a> for the<br>
above. There are no changes on Keycloak auth-server side, just the<br>
adapter is now able to retrieve the new realm public key always when new<br>
keypair for the realm was generated or uploaded.<br>
<br>
Summary of changes:<br>
* Adapters don't use our proprietary endpoint for retrieve realm<br>
public-key, but they instead use the OIDC standard jwks_url, which<br>
Keycloak server already publish.<br>
<br>
* The adapter option "realm-public-key" in keycloak.json is not<br>
recommended now and I removed it from examples and some tests. The<br>
reason is, that if you have hardcoded "realm-public-key" in<br>
keycloak.json, then your adapter will always use this public key and it<br>
won't try to download new public key in case that new keypair was<br>
generated for the realm. In other words, application will be unusable if<br>
realm public key is changed. Still this option is kept in case that<br>
someone really wants hardcoded public key and never to download it from<br>
auth-server.<br>
<br>
* If "realm-public-key" is not in keycloak.json (new recommended default<br>
behaviour), then adapter will always try to download new public key from<br>
realm when it sees the token with unknown "kid" in JWS header. So it's<br>
not just first request to the app (which we had until now), but always<br>
when new key is generated, adapter will download it. Adapter has support<br>
for store more public keys with different "kid", as this is needed for<br>
transition when tokens signed by both "old" and "new" key are sent to<br>
the REST app endpoint. There is plan to support more keypairs for the<br>
single realm too.<br>
<br>
* There is some minimum time between requests (10 seconds by default),<br>
so it's not possible to easily DoS in case that attacker will send lots<br>
of request to the app with bad "kid" or if lots of request singed by<br>
outdated "kid" happen. New adapter option added for it.<br>
<br>
I have still the docs to do and possibly also update quickstarts and<br>
remove "realm-public-key" from them?<br></blockquote><div><br></div><div>+1 We should remove from quickstarts as well</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Next step is to implement something similar for clients and<br>
identityProviders. The JIRAS are<br>
<a href="https://issues.jboss.org/browse/KEYCLOAK-3493" rel="noreferrer" target="_blank">https://issues.jboss.org/<wbr>browse/KEYCLOAK-3493</a> and<br>
<a href="https://issues.jboss.org/browse/KEYCLOAK-3532" rel="noreferrer" target="_blank">https://issues.jboss.org/<wbr>browse/KEYCLOAK-3532</a> . So the keycloak server<br>
will be able to download new keypairs in case that keys under "jwks_url"<br>
of identityProvider (or client) are changed. That's for OIDC<br>
identityProviders and also for clients using authentication with singed<br>
JWT . It's needed for OIDC certification.<br>
<br>
Marek<br>
<br>
______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a><br>
</blockquote></div><br></div></div>