ECDSA would be a great addition as there should be significant performance
improvements over RSA.
First thing is we have our own internal utils for signing that relies on
BouncyCastle and we would not accept a dependency on "nimbus-jose-jwt". Due
to our productization process for RH-SSO we do not easily accept adding new
third party dependencies and in this case it's completely pointless as we
already have the equivalent libraries internally.
To add ECDSA support there is a fair bit of work needed:
1. Add key provider implementations. We'd need providers that correspond to
the ones we have for RSA (upload keys, generated keys, etc.)
2. Add option to realm (to set default realm signing algorithm) and clients
to be able to override the algorithm to use
3. Update internal signing libraries on the server side to use correct
algorithm according to 1
4. Update adapters to support ECDSA signatures - this includes Java and
5. Loads of testing
6. Documentation updates
That's at least what I can think of at the top of my head.
On 7 July 2017 at 12:50, Kishan Sagathiya <kishansagathiya(a)gmail.com> wrote:
We are trying to develop ECDSA support for Keycloak.
I have already written a ECDSAProvider and I am using nimbus-jose-jwt
library. Though, I am not sure how to proceed forward. How to add an option
in keycloak console to add a ECDSA key, etc.
If anyone can help me with this, that would be great.
Sent with Mailtrack
keycloak-dev mailing list