[keycloak-user] Make kid optional in SignedJWT

[Kostka Artur (BCI/ESW25)]

Hi,

I have a question according .NET, Keycloak and Signed JWT (https://www.keycloak.org/docs/latest/securing_apps/index.html#_client_authentication_adapter)

Right now we want to create a Signed JWT from .NET in order to retrieve our access token. There is no library available and OWIN is deprecated, so we decided to implement the required JWT by ourselves.
This is not a big deal, but we are struggling, because the native .NET returns a different value compared to the Keycloak  implementation (JWTClientCredentialsProvider.java - createSignedRequestToken(...)<https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-core/src/main/java/org/keycloak/adapters/authentication/JWTClientCredentialsProvider.java>), when calculating the kid for the token header.

The .NET calculated kid causes Keycloak to return an error message, it is obviously different from the one calculated with the Keycloak adapter. We could figure out that the .NET and the Keycloak adapter are calculating the kid differently.

As we investigated further https://tools.ietf.org/html/rfc7515#section-4.1.4 specifies that this kid parameter is optional and just a hint for the authorization server.
Are there any plans to change this behavior according RFC7515 and make the kid optional?

Cheers,
Artur

Best regards / Mit freundlichen Grüßen / Üdvözlettel / 致以诚挚的问候

Mr. Artur Kostka
Bosch Connected Industry – BCI/ESW25
Bosch Software Innovations GmbH | Ziegelei 7 | 88090 Immenstaad | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Phone +49 7545 202-256 | Fax +49 7545 202-301 | Artur.Kostka at bosch-si.com

Sitz: Berlin, Register court: Amtsgericht Charlottenburg; HRB 148411 B
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn