Re: [keycloak-dev] JWS signatures using PS256 or ES256 algorithms for signing
I don't really like the idea of having to reconfigure to make the adapter
accept new signature. I know oidc well known endpoint doesn't have
signature algorithm for access token, but we could add one and have
adapters pull from the server what algorithms to accept.
On Tue, 26 Jun 2018, 11:00 Marek Posolda, <mposolda(a)redhat.com> wrote:
On 30/05/18 09:35, Stian Thorgersen wrote:
I think it might be better to determine which kind of Token Signature
Provider be used by not parsing JWS, for example, looking up Client or
Realm settings.
This PR might have impacts on keycloak's performance because it has parsed
JWS to determine it every time keycloak receives JWS Token.
On the server-side that is easy. On the adapter side that would probably
require adding a property to keycloak.json to set the algorithm. In either
case it should probably default to RSA for existing realms at least, but we
could consider setting it to ES256 for new realms.
+1
Parsing token signature to determine algorithm should be avoided IMO.
AFAIR Some OAuth/OIDC vendors had security issues in the past, that they
parsed the header with "none" algorithm and then client applications
automatically trust unsigned tokens. We should make sure this is not
possible.
Marek