On 30/05/18 09:35, Stian Thorgersen wrote:
> I think it might be better to determine which kind of Token
Signature
> Provider be used by not parsing JWS, for example, looking up Client or
> Realm settings.
> This PR might have impacts on keycloak's performance because it has parsed
> JWS to determine it every time keycloak receives JWS Token.
>
On the server-side that is easy. On the adapter side that would probably
require adding a property to keycloak.json to set the algorithm. In either
case it should probably default to RSA for existing realms at least, but we
could consider setting it to ES256 for new realms.
+1
Parsing token signature to determine algorithm should be avoided IMO.
AFAIR Some OAuth/OIDC vendors had security issues in the past, that they
parsed the header with "none" algorithm and then client applications
automatically trust unsigned tokens. We should make sure this is not
possible.
Marek