[keycloak-user] OpenID Connect support

[Bill Burke]

I thought the issuer was the realm.  I guess its not....Also looks like 
we'll need to have one URL to process all realm oidc requests as the ISS 
is validated.

Does this library offer any encryption/signature options for the ID Token?

On 10/20/2014 1:22 PM, Iván Perdomo wrote:
> Hi,
>
> On Mon, 20 Oct 2014 12:04:44 -0400
> Bill Burke <bburke at redhat.com> wrote:
>
>> Can't really tell, but maybe your library doesn't like the token
>> format we send back?  Just looking at the 1st exception in the log...
>>
>> Log a jira and we can look into it.  Our queue is pretty full at the
>> moment though.
>
> I made some more logging, and I think i can identify some wrong values
> in the ID Token returned by Keycloak
>
> This is a sample token by MITREid Connect:
>
> {header={"alg":"RS256"},
> payload={"aud":["foobar"],"exp":1413824459,"iat":1413823859,"iss":"https://login.akvotest.org/mitreid/","sub":"01921.FLANRJQW"}}
>
> This is a sample token returned by Keycloak:
>
> {header={"alg":"RS256"},
> payload={"aud":"akvo","azp":"foobar","exp":1413823598,"iat":1413823298,"iss":"akvo","jti":"0cbe4757-90fe-470f-9b86-29bfd9646437","nbf":0,"sub":"0959c25d-535b-4ab4-b533-d70d3db5c758","name":"User
> Akvo","email":"user at akvo.org","given_name":"User","family_name":"Akvo","preferred_username":"user","email_verified":true}}
>
> There are wrong values in the Keycloak [1]:
>
> * iss - in Keycloak is returning the Realm name, while needs to be the
>    URL of the issuer [2]
> * aud - this value must contain the client_id "foobar" in our case, but
>    Keycloak is returning the Realm name.
>
> If you you provide some guidance I would like to help on fixing this
> issue.
>
> [1]
> http://openid.net/specs/openid-connect-basic-1_0-23.html#id.token.validation
> [2] http://openid.net/specs/openid-connect-basic-1_0-23.html#id_token
>
> Cheers,
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com