2:38 a.m.
Hello,
I have an external OIDC provider that uses multiple signing keys to sign the id_tokens it
issues. According to the OIDC spec
(https://openid.net/specs/openid-connect-discovery-1_0.html), "jwks_uri" is an
"URL of the OP's JSON Web Key Set. The set contains the signing key(s) that RP
uses to validate signature from the OP". Now, there is only a single validating
public key shown on the OIDC external provider configuration page. When importing OIDC
provider configuration using OIDC provider metadata uri, keycloak picks the first JWK
which "use" parameter value is set to "sig". In my case, all JWKs in
the JWK Set have their "use" member set to "sig". I took a cursory
look at the JWKS spec
(https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41#section-4.2) and based on
what I've read it seems there could be more than one key with the same "use"
parameter. Shouldn't keycloak store all signing keys instead of just one, and use the
value of the "kid" parameter from the provider's auth response to choose a
corresponding public key to do the validation?
Regards,--Peter
3:42 a.m.
Hi,
could you please create JIRA for it and mark component as "Specification
- OIDC" ?
I agree the current behaviour has space for improvements. There is also
one related performance issue as currently we "compute" the PublicKey
from PEM during each login of federated user. Same goes for client
authentication with signed JWT. I think we should have some
"PublicKeyCacheProvider" of public keys, which will be used by both
IdentityProviders and Clients. Also we should be able to "retrieve" new
keys from "jwks_uri" on demand when key with corresponding "kid" is
not
found (currently we do it always just when IdentityProvider config is
imported, or when OIDC client is registered).
Thanks,
Marek
On 01/09/16 09:38, Peter Nalyvayko wrote:
Hello,
I have an external OIDC provider that uses multiple signing keys to
sign the id_tokens it issues.
According to the OIDC spec
(https://openid.net/specs/openid-connect-discovery-1_0.html),
"jwks_uri" is an "URL of the OP's JSON Web Key Set. The set contains
the signing key(s) that RP uses to validate signature from the OP".
Now, there is only a single validating public key shown on the OIDC
external provider configuration page. When importing OIDC provider
configuration using OIDC provider metadata uri, keycloak picks the
first JWK which "use" parameter value is set to "sig". In my case,
all
JWKs in the JWK Set have their "use" member set to "sig". I took a
cursory look at the JWKS spec
(https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41#section-4.2)
and based on what I've read it seems there could be more than one key
with the same "use" parameter. Shouldn't keycloak store all signing
keys instead of just one, and use the value of the "kid" parameter
from the provider's auth response to choose a corresponding public key
to do the validation?
Regards,
--Peter
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
3040
days inactive
3040
days old
1 comments
2 participants
participants (2)
-
Marek Posolda -
Peter Nalyvayko