Re: [keycloak-dev] Realm key pair
The keypair is not someting specific to a realm-client. It is specific
to the realm. The realm signs all access tokens for all clients with
its private key. Currently we do not support a shared secret, only PKI.
And we'll probably only support PKI unless there is a popular client
which can't support it.
On 4/3/2014 10:32 AM, Bruno Oliveira wrote:
I see. I was just wondering if is possible to avoid the key pair
exposition and if the idea is valid. For our clients, establish a key agreement (ECDH for
example) and use the shared key to sign JSON[1].
Does it make sense?
[1] - http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-25#section...
--
abstractj
On April 2, 2014 at 4:27:29 PM, Bill Burke (bburke(a)redhat.com) wrote:
>> Not sure what you mean. The keypair is for the realm. When you
> create
> a realm this keypair is automatically generated. The only reason
> it
> exists in the example imported json files is so that the example
> adapter
> configs can run out of the box.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com