Re: [keycloak-dev] Keep client private keys in Keycloak DB?
----- Original Message -----
From: "Marek Posolda" <mposolda(a)redhat.com>
To: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 11 August, 2015 10:55:09 AM
Subject: [keycloak-dev] Keep client private keys in Keycloak DB?
For the client authentication with signed JWT, I am wondering if we
should keep client private key in Keycloak DB?
TBH I am more keen to not keep the copies, but just the certificate with
public key, so the private key is owned exclusively by client and saved
just on client side. Looks better to me from security perspective and
that's how Google is doing it -
https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
+1 The private key shouldn't even be sent to the server
But now I notice that for the SAML clients, we keep the private keys in
Keycloak DB (the private key for sign SAML requests or the private key,
which client needs to verify SAML assertions encrypted by it's public
key). Is it ok from the security perspective?
Do we need the private keys for SAML clients? If not my vote is that we do the same as
what you suggest above for openid
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev