Encryption is redundant in most cases. You are already communicating
JWTs over SSL. Well, you should be, or your deployment is completely
insecure. Where I could see it being interesting is for semi-trusted
third-parties. These parties get a JWE as their "access token" so that
they can't read the information in the token. Services that consume the
token would have to have some shared secret/key with the server in order
to decrypt and then validate the token.
Transmitting JWK sets (or kid or x5u or x5c) is only useful to determine
to match up the signer or encrypter with a key or shared secret to use
to validate or decrypt the JWS or JWE. Not really very important for us
right now because adapters have all the information they need (the
realm's public key) to validate. This would be useful in cases for
bearer-only services that can process tokens from different keycloak realms.
On 2/26/2015 7:27 AM, Pedro Igor Silva wrote:
I think we also need to think about JWK. So we can carry on key/cert
info along the token and a JWK Set endpoint to retrieve them.
Google provides that and it is really useful for clients.
----- Original Message -----
From: "Jae Choi" <jaekun.choi(a)gmail.com>
Sent: Thursday, February 26, 2015 7:55:44 AM
Subject: [keycloak-dev] Json Web Encrpytion
Is there going to be some JSON web encryption support for Keycloak JWT?
JBoss, a division of Red Hat