8:29 a.m.
To be able to gracefully rotate the realm keys periodically a realm needs
to have more than one keypair. One keypair that is active and will be used
to issue new cookies and tokens. Also, one or more keypairs that are
inactive that can be used to verify old cookies and tokens.
I'm going to start work on this soon, but here's some initial thoughts:
* Realm keys will have a list of keypairs rather than just one. Only one
can be active. There will also be an expiration time on the inactive
keypairs. Once expired and inactive keypair is no longer usable.
* There will also be an option to automatically generate a new key every N
days.
* If a session cookie is signed with an inactive pair the cookie will be
refreshed so it's signed with the active keypair
* Token introspect endpoint will allow any token that is signed with any
keypair that is not expired
* If a refresh token is signed with an inactive pair the new tokens
(including refresh token) will be signed with the active keypair
* Secret used to generate client code will be linked to the keypair. I'll
need a way to specify what secret it was signed with so codes are still
valid even if they where signed with an old.
This is only for login cookie and OIDC protocol. Is it even necessary to
have support for multiple certificates for SAML? SAML doesn't have a token
introspection or refresh of the assertions right, so not sure it's needed.
With regards to the applications. Marek has already added support for
clients to fetch new keypairs for the realm. See his email on keycloak-dev
for details around that.
8:41 a.m.
Is this going to be a breaking feature or is the plan to continue supporting the current
single key/realm model?
From: keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@lists.jboss.org]
On Behalf Of Stian Thorgersen
Sent: Tuesday, September 13, 2016 9:29 AM
To: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Subject: [keycloak-dev] Realm key rotation support
To be able to gracefully rotate the realm keys periodically a realm needs to have more
than one keypair. One keypair that is active and will be used to issue new cookies and
tokens. Also, one or more keypairs that are inactive that can be used to verify old
cookies and tokens.
I'm going to start work on this soon, but here's some initial thoughts:
* Realm keys will have a list of keypairs rather than just one. Only one can be active.
There will also be an expiration time on the inactive keypairs. Once expired and inactive
keypair is no longer usable.
* There will also be an option to automatically generate a new key every N days.
* If a session cookie is signed with an inactive pair the cookie will be refreshed so
it's signed with the active keypair
* Token introspect endpoint will allow any token that is signed with any keypair that is
not expired
* If a refresh token is signed with an inactive pair the new tokens (including refresh
token) will be signed with the active keypair
* Secret used to generate client code will be linked to the keypair. I'll need a way
to specify what secret it was signed with so codes are still valid even if they where
signed with an old.
This is only for login cookie and OIDC protocol. Is it even necessary to have support for
multiple certificates for SAML? SAML doesn't have a token introspection or refresh of
the assertions right, so not sure it's needed.
With regards to the applications. Marek has already added support for clients to fetch new
keypairs for the realm. See his email on keycloak-dev for details around that.
9:36 a.m.
Hi Stian,
intersting email, we were recently given advise to rotate keys periodically
but at this point in time keycloak 1.9.8 does not actually implement
http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys nor are
any of the client adapters able to use the jks url to retrieve pub keys
rather requiring to hard code the target realm key in the public-realm-key
property of the keycloak.json client configuration file.
Is this new feature going to implement the OpenID Connect spec sections
10.1 and 10.2 ?
Also I assume this would also require changes to adapters by removing the
public-realm-key property from the config file?
Kind Regards,
Niels
On Tue, Sep 13, 2016 at 11:41 PM, Nalyvayko, Peter <pnalyvayko(a)agi.com>
wrote:
Is this going to be a breaking feature or is the plan to continue
supporting the current single key/realm model?
*From:* keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@
lists.jboss.org] *On Behalf Of *Stian Thorgersen
*Sent:* Tuesday, September 13, 2016 9:29 AM
*To:* keycloak-dev <keycloak-dev(a)lists.jboss.org>
*Subject:* [keycloak-dev] Realm key rotation support
To be able to gracefully rotate the realm keys periodically a realm needs
to have more than one keypair. One keypair that is active and will be used
to issue new cookies and tokens. Also, one or more keypairs that are
inactive that can be used to verify old cookies and tokens.
I'm going to start work on this soon, but here's some initial thoughts:
* Realm keys will have a list of keypairs rather than just one. Only one
can be active. There will also be an expiration time on the inactive
keypairs. Once expired and inactive keypair is no longer usable.
* There will also be an option to automatically generate a new key every N
days.
* If a session cookie is signed with an inactive pair the cookie will be
refreshed so it's signed with the active keypair
* Token introspect endpoint will allow any token that is signed with any
keypair that is not expired
* If a refresh token is signed with an inactive pair the new tokens
(including refresh token) will be signed with the active keypair
* Secret used to generate client code will be linked to the keypair. I'll
need a way to specify what secret it was signed with so codes are still
valid even if they where signed with an old.
This is only for login cookie and OIDC protocol. Is it even necessary to
have support for multiple certificates for SAML? SAML doesn't have a token
introspection or refresh of the assertions right, so not sure it's needed.
With regards to the applications. Marek has already added support for
clients to fetch new keypairs for the realm. See his email on keycloak-dev
for details around that.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:39 p.m.
On 13/09/16 16:36, Niels Bertram wrote:
Hi Stian,
intersting email, we were recently given advise to rotate keys
periodically but at this point in time keycloak 1.9.8 does not
actually implement
http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys nor
are any of the client adapters able to use the jks url to retrieve pub
keys rather requiring to hard code the target realm key in the
public-realm-key property of the keycloak.json client configuration file.
Is this new feature going to implement the OpenID Connect spec
sections 10.1 and 10.2 ?
Also I assume this would also require changes to adapters by removing
the public-realm-key property from the config file?
Yes, exactly. Adapter's
side is already implemented in master (but not
yet documented). See my other mail for details
http://lists.jboss.org/pipermail/keycloak-dev/2016-September/008062.html
Marek
Kind Regards,
Niels
On Tue, Sep 13, 2016 at 11:41 PM, Nalyvayko, Peter <pnalyvayko(a)agi.com
<mailto:pnalyvayko@agi.com>> wrote:
Is this going to be a breaking feature or is the plan to continue
supporting the current single key/realm model?
*From:*keycloak-dev-bounces@lists.jboss.org
<mailto:keycloak-dev-bounces@lists.jboss.org>
[mailto:keycloak-dev-bounces@lists.jboss.org
<mailto:keycloak-dev-bounces@lists.jboss.org>] *On Behalf Of
*Stian Thorgersen
*Sent:* Tuesday, September 13, 2016 9:29 AM
*To:* keycloak-dev <keycloak-dev(a)lists.jboss.org
<mailto:keycloak-dev@lists.jboss.org>>
*Subject:* [keycloak-dev] Realm key rotation support
To be able to gracefully rotate the realm keys periodically a
realm needs to have more than one keypair. One keypair that is
active and will be used to issue new cookies and tokens. Also, one
or more keypairs that are inactive that can be used to verify old
cookies and tokens.
I'm going to start work on this soon, but here's some initial
thoughts:
* Realm keys will have a list of keypairs rather than just one.
Only one can be active. There will also be an expiration time on
the inactive keypairs. Once expired and inactive keypair is no
longer usable.
* There will also be an option to automatically generate a new key
every N days.
* If a session cookie is signed with an inactive pair the cookie
will be refreshed so it's signed with the active keypair
* Token introspect endpoint will allow any token that is signed
with any keypair that is not expired
* If a refresh token is signed with an inactive pair the new
tokens (including refresh token) will be signed with the active
keypair
* Secret used to generate client code will be linked to the
keypair. I'll need a way to specify what secret it was signed with
so codes are still valid even if they where signed with an old.
This is only for login cookie and OIDC protocol. Is it even
necessary to have support for multiple certificates for SAML? SAML
doesn't have a token introspection or refresh of the assertions
right, so not sure it's needed.
With regards to the applications. Marek has already added support
for clients to fetch new keypairs for the realm. See his email on
keycloak-dev for details around that.
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
<https://lists.jboss.org/mailman/listinfo/keycloak-dev>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
2:21 a.m.
On 13 September 2016 at 16:36, Niels Bertram <nielsbne(a)gmail.com> wrote:
Hi Stian,
intersting email, we were recently given advise to rotate keys
periodically but at this point in time keycloak 1.9.8 does not actually
implement http://openid.net/specs/openid-connect-core-1_0.
html#RotateSigKeys nor are any of the client adapters able to use the jks
url to retrieve pub keys rather requiring to hard code the target realm key
in the public-realm-key property of the keycloak.json client configuration
file.
Is this new feature going to implement the OpenID Connect spec sections
10.1 and 10.2 ?
10.1 yes, we don't support encryption at the moment and this work will not
include it.
Also I assume this would also require changes to adapters by removing the
public-realm-key property from the config file?
Kind Regards,
Niels
On Tue, Sep 13, 2016 at 11:41 PM, Nalyvayko, Peter <pnalyvayko(a)agi.com>
wrote:
> Is this going to be a breaking feature or is the plan to continue
> supporting the current single key/realm model?
>
>
>
> *From:* keycloak-dev-bounces(a)lists.jboss.org [mailto:
> keycloak-dev-bounces(a)lists.jboss.org] *On Behalf Of *Stian Thorgersen
> *Sent:* Tuesday, September 13, 2016 9:29 AM
> *To:* keycloak-dev <keycloak-dev(a)lists.jboss.org>
> *Subject:* [keycloak-dev] Realm key rotation support
>
>
>
> To be able to gracefully rotate the realm keys periodically a realm needs
> to have more than one keypair. One keypair that is active and will be used
> to issue new cookies and tokens. Also, one or more keypairs that are
> inactive that can be used to verify old cookies and tokens.
>
>
>
> I'm going to start work on this soon, but here's some initial thoughts:
>
>
>
> * Realm keys will have a list of keypairs rather than just one. Only one
> can be active. There will also be an expiration time on the inactive
> keypairs. Once expired and inactive keypair is no longer usable.
>
> * There will also be an option to automatically generate a new key every
> N days.
>
> * If a session cookie is signed with an inactive pair the cookie will be
> refreshed so it's signed with the active keypair
>
> * Token introspect endpoint will allow any token that is signed with any
> keypair that is not expired
>
> * If a refresh token is signed with an inactive pair the new tokens
> (including refresh token) will be signed with the active keypair
>
> * Secret used to generate client code will be linked to the keypair. I'll
> need a way to specify what secret it was signed with so codes are still
> valid even if they where signed with an old.
>
>
>
> This is only for login cookie and OIDC protocol. Is it even necessary to
> have support for multiple certificates for SAML? SAML doesn't have a token
> introspection or refresh of the assertions right, so not sure it's needed.
>
>
>
> With regards to the applications. Marek has already added support for
> clients to fetch new keypairs for the realm. See his email on keycloak-dev
> for details around that.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
2:17 a.m.
On 13 September 2016 at 15:41, Nalyvayko, Peter <pnalyvayko(a)agi.com> wrote:
Is this going to be a breaking feature or is the plan to continue
supporting the current single key/realm model?
If you only have a single active keypair and no inactive pairs it will
behave exactly as today. We will change the way keys are stored in the db,
but this will be taken care of by migration.
*From:* keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@
lists.jboss.org] *On Behalf Of *Stian Thorgersen
*Sent:* Tuesday, September 13, 2016 9:29 AM
*To:* keycloak-dev <keycloak-dev(a)lists.jboss.org>
*Subject:* [keycloak-dev] Realm key rotation support
To be able to gracefully rotate the realm keys periodically a realm needs
to have more than one keypair. One keypair that is active and will be used
to issue new cookies and tokens. Also, one or more keypairs that are
inactive that can be used to verify old cookies and tokens.
I'm going to start work on this soon, but here's some initial thoughts:
* Realm keys will have a list of keypairs rather than just one. Only one
can be active. There will also be an expiration time on the inactive
keypairs. Once expired and inactive keypair is no longer usable.
* There will also be an option to automatically generate a new key every N
days.
* If a session cookie is signed with an inactive pair the cookie will be
refreshed so it's signed with the active keypair
* Token introspect endpoint will allow any token that is signed with any
keypair that is not expired
* If a refresh token is signed with an inactive pair the new tokens
(including refresh token) will be signed with the active keypair
* Secret used to generate client code will be linked to the keypair. I'll
need a way to specify what secret it was signed with so codes are still
valid even if they where signed with an old.
This is only for login cookie and OIDC protocol. Is it even necessary to
have support for multiple certificates for SAML? SAML doesn't have a token
introspection or refresh of the assertions right, so not sure it's needed.
With regards to the applications. Marek has already added support for
clients to fetch new keypairs for the realm. See his email on keycloak-dev
for details around that.
10:53 a.m.
On 09/13/2016 09:29 AM, Stian Thorgersen wrote:
To be able to gracefully rotate the realm keys periodically a realm
needs to have more than one keypair. One keypair that is active and will
be used to issue new cookies and tokens. Also, one or more keypairs that
are inactive that can be used to verify old cookies and tokens.
This is only for login cookie and OIDC protocol. Is it even necessary
to
have support for multiple certificates for SAML? SAML doesn't have a
token introspection or refresh of the assertions right, so not sure it's
needed.
SAML also needs multiple keys during the rotation period. Off the top of
my head I do not recall if the realm key is used for signing or if an
independent key is generated. Currently Keycloak does not support SAML
encryption but when it does the same will apply to encryption keys as
would currently apply to signing keys.
SAML metadata permits multiple keys to be defined. The current errata
for SAML metadata (sstc-saml-metadata-errata-2.0-wd-05-diff.pdf)
includes this edit:
The inclusion of multiple <KeyDescriptor> elements with
the same use attribute (or no such attribute) indicates
that any of the included keys may be used by the
containing role or affiliation. A relying party SHOULD
allow for the use of any of the included keys. When
possible the signing or encrypting party SHOULD indicate
as specifically as possible which key it used to enable
more efficient processing.
This means there will need to be logic in the code that signs and
verifies signatures to iterate over an (ordered) list of keys *and* in
the code used to both generate and consume metadata to permit multiple keys.
--
John
2:07 p.m.
On 9/23/16 11:53 AM, John Dennis wrote:
On 09/13/2016 09:29 AM, Stian Thorgersen wrote:
> To be able to gracefully rotate the realm keys periodically a realm
> needs to have more than one keypair. One keypair that is active and will
> be used to issue new cookies and tokens. Also, one or more keypairs that
> are inactive that can be used to verify old cookies and tokens.
> This is only for login cookie and OIDC protocol. Is it even necessary to
> have support for multiple certificates for SAML? SAML doesn't have a
> token introspection or refresh of the assertions right, so not sure it's
> needed.
SAML also needs multiple keys during the rotation period. Off the top of
my head I do not recall if the realm key is used for signing or if an
independent key is generated. Currently Keycloak does not support SAML
encryption but when it does the same will apply to encryption keys as
would currently apply to signing keys.
We support encrypting the assertion.
Bill
2786
days inactive
2796
days old
7 comments
6 participants
participants (6)
-
Bill Burke -
John Dennis -
Marek Posolda -
Nalyvayko, Peter -
Niels Bertram -
Stian Thorgersen