<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 13/09/16 16:36, Niels Bertram wrote:<br>
</div>
<blockquote
cite="mid:CAPLPygnSOWkFfdxX2nX3JUHgtSzHbcLORu6oc1_Cdm9yR0RU0w@mail.gmail.com"
type="cite">
<div dir="ltr">Hi Stian,
<div><br>
</div>
<div>intersting email, we were recently given advise to rotate
keys periodically but at this point in time keycloak 1.9.8
does not actually implement <a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys">http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys</a>
nor are any of the client adapters able to use the jks url to
retrieve pub keys rather requiring to hard code the target
realm key in the public-realm-key property of the
keycloak.json client configuration file.</div>
<div><br>
</div>
<div>Is this new feature going to implement the OpenID Connect
spec sections 10.1 and 10.2 ?</div>
<div><br>
</div>
<div>Also I assume this would also require changes to adapters
by removing the public-realm-key property from the config
file?</div>
</div>
</blockquote>
Yes, exactly. Adapter's side is already implemented in master (but
not yet documented). See my other mail for details
<a class="moz-txt-link-freetext" href="http://lists.jboss.org/pipermail/keycloak-dev/2016-September/008062.html">http://lists.jboss.org/pipermail/keycloak-dev/2016-September/008062.html</a><br>
<br>
Marek<br>
<blockquote
cite="mid:CAPLPygnSOWkFfdxX2nX3JUHgtSzHbcLORu6oc1_Cdm9yR0RU0w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Kind Regards,</div>
<div>Niels</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Tue, Sep 13, 2016 at 11:41 PM,
Nalyvayko, Peter <span dir="ltr"><<a
moz-do-not-send="true" href="mailto:pnalyvayko@agi.com"
target="_blank">pnalyvayko@agi.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div link="#0563C1" vlink="#954F72" lang="EN-US">
<div>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d">Is
this going to be a breaking feature or is the plan
to continue supporting the current single key/realm
model?
</span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1f497d"> </span></p>
<p class="MsoNormal"><b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span
style="font-size:11.0pt;font-family:"Calibri",sans-serif"> <a
moz-do-not-send="true"
href="mailto:keycloak-dev-bounces@lists.jboss.org"
target="_blank">keycloak-dev-bounces@lists.<wbr>jboss.org</a>
[mailto:<a moz-do-not-send="true"
href="mailto:keycloak-dev-bounces@lists.jboss.org"
target="_blank">keycloak-dev-bounces@<wbr>lists.jboss.org</a>]
<b>On Behalf Of </b>Stian Thorgersen<br>
<b>Sent:</b> Tuesday, September 13, 2016 9:29 AM<br>
<b>To:</b> keycloak-dev <<a
moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org"
target="_blank">keycloak-dev@lists.jboss.org</a>><br>
<b>Subject:</b> [keycloak-dev] Realm key rotation
support</span></p>
<div>
<div class="h5">
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">To be able to gracefully
rotate the realm keys periodically a realm needs
to have more than one keypair. One keypair that
is active and will be used to issue new cookies
and tokens. Also, one or more keypairs that are
inactive that can be used to verify old cookies
and tokens.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I'm going to start work on
this soon, but here's some initial thoughts:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">* Realm keys will have a
list of keypairs rather than just one. Only
one can be active. There will also be an
expiration time on the inactive keypairs. Once
expired and inactive keypair is no longer
usable.</p>
</div>
<div>
<p class="MsoNormal">* There will also be an
option to automatically generate a new key
every N days.</p>
</div>
<div>
<p class="MsoNormal">* If a session cookie is
signed with an inactive pair the cookie will
be refreshed so it's signed with the active
keypair</p>
</div>
<div>
<p class="MsoNormal">* Token introspect endpoint
will allow any token that is signed with any
keypair that is not expired</p>
</div>
<div>
<p class="MsoNormal">* If a refresh token is
signed with an inactive pair the new tokens
(including refresh token) will be signed with
the active keypair</p>
</div>
<div>
<p class="MsoNormal">* Secret used to generate
client code will be linked to the keypair.
I'll need a way to specify what secret it was
signed with so codes are still valid even if
they where signed with an old.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">This is only for login
cookie and OIDC protocol. Is it even necessary
to have support for multiple certificates for
SAML? SAML doesn't have a token introspection
or refresh of the assertions right, so not
sure it's needed.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">With regards to the
applications. Marek has already added support
for clients to fetch new keypairs for the
realm. See his email on keycloak-dev for
details around that.</p>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
______________________________<wbr>_________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/<wbr>mailman/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
keycloak-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/keycloak-dev">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a></pre>
</blockquote>
<p><br>
</p>
</body>
</html>