From: "Marek Posolda" <mposolda(a)redhat.com>
To: "Stian Thorgersen" <stian(a)redhat.com>
Cc: keycloak-dev(a)lists.jboss.org
Sent: Tuesday, 11 August, 2015 12:48:16 PM
Subject: Re: [keycloak-dev] Keep client private keys in Keycloak DB?
On 11.8.2015 11:26, Stian Thorgersen wrote:
> ----- Original Message -----
>> From: "Marek Posolda" <mposolda(a)redhat.com>
>> To: keycloak-dev(a)lists.jboss.org
>> Sent: Tuesday, 11 August, 2015 10:55:09 AM
>> Subject: [keycloak-dev] Keep client private keys in Keycloak DB?
>>
>> For the client authentication with signed JWT, I am wondering if we
>> should keep client private key in Keycloak DB?
>>
>> TBH I am more keen to not keep the copies, but just the certificate with
>> public key, so the private key is owned exclusively by client and saved
>> just on client side. Looks better to me from security perspective and
>> that's how Google is doing it -
>>
https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
> +1 The private key shouldn't even be sent to the server
>
>> But now I notice that for the SAML clients, we keep the private keys in
>> Keycloak DB (the private key for sign SAML requests or the private key,
>> which client needs to verify SAML assertions encrypted by it's public
>> key). Is it ok from the security perspective?
> Do we need the private keys for SAML clients? If not my vote is that we do
> the same as what you suggest above for openid
I think not (Bill can correct me ). For SAML, there are 2 usecases when
private key is needed just by client and server needs just
certificate+publicKey:
1) SAMLRequest is signed by client and keycloak needs to verify it with
the client public key
2) SAML Assertion is signed by Keycloak by client public key, so client
can decrypt by it's private key
Actually you can either generate keys by Keycloak or import the
certificate for SAML client. If you just upload the certificate, the
private key is not stored on Keycloak side, that looks ok to me. But if
you generate them, keycloak stores private key in DB and you can later
export it to keystore (JKS or PKCS12).
For signed JWT, I would like to support generate public/private keypair
by Keycloak as well, but not store the private key in DB. So key will be
generated and downloaded in same request and client will just have
possibility to choose the format (JKS, PKCS12 or PEM text)
+1 If someone has lost the private key, they should generate a new one, not fetch the old
one from KC
Marek
>
>> Marek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>