[keycloak-user] CEK key for alg:dir

[Tim Rademacher]

...I suddenly had the idea, that the auth request returns the auth code that
is then used to get an access token. So the auth code is just returned to
its origin. So the "share secret" CEK is not a shared secret, but only known
by the Keycloak server. So it makes sense, that I could not find the
information, where to get the CEK, since the Keycloak server is the only one
who needs it.

 

Could someone please confirm?

 

Thanks

 

Tim

 

Von: Tim Rademacher <t.rademacher at gmx.de> 
Gesendet: Dienstag, 6. November 2018 13:21
An: 'keycloak-user at lists.jboss.org' <keycloak-user at lists.jboss.org>
Betreff: CEK key for alg:dir

 

Hi all,

 

I am somewhat struggling with Keycloak (Version 4.5.0) and I would like to
view the data return from an authorization request. I retrieve the token and
would like to look into it.

 

I see, there are 5 parts:

 

1.	Header
2.	CEK
3.	Init Vector
4.	Content (encrypted)
5.	Auth Tag

 

The header mentions the Algorithm to be DIR and the Encryption Algorithm tob
e A128CBC-HS256.

 

The RFC7518 says, that DIR means "Direct use of a shared symmetric key as
the CEK".

 

So I wonder, how would the shared key come to the client to decrypt the
content?

 

How would I be able to decrypt the token (where would I get the token from)?

 

Thank you very much!

 

Tim