[keycloak-user] Key Id and syncing with JWKS file

[Sud Ramasamy]

We have a Java application (the client) that is secured using Spring Security and the Keycloak Spring Security adapter. It is talking to Keycloak as the OIDC provider. The client is registered in Keycloak and secured with Signed Jwt as the Client Authenticator and using the JWKS URL pointing to a location where we host the JWKS file.

The Key Id (kid) value for the key in the JWKS file must match the value that the client side Keycloak adapter is sending to Keycloak. Which makes sense. The client side adapter is using the KeyUtils.createKeyId() method to construct the Key Id. I’ve copy pasted the method below:


   public static String createKeyId(Key key) {
        try {
            return Base64Url.encode(MessageDigest.getInstance(DEFAULT_MESSAGE_DIGEST).digest(key.getEncoded()));
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }


I don’t see a way to specify the Key Id value to use in the Keycloak adapter’s JSON configuration file. Instead it appears that when we build out the JWKS file we need to use the above logic to populate the Key Id value. Is this true? Or do we need an enhancement for the Keycloak adapter to support a key id parameter/value in the configuration file.

Thanks in advance.
-sud