We have a Java application (the client) that is secured using Spring Security and the
Keycloak Spring Security adapter. It is talking to Keycloak as the OIDC provider. The
client is registered in Keycloak and secured with Signed Jwt as the Client Authenticator
and using the JWKS URL pointing to a location where we host the JWKS file.
The Key Id (kid) value for the key in the JWKS file must match the value that the client
side Keycloak adapter is sending to Keycloak. Which makes sense. The client side adapter
is using the KeyUtils.createKeyId() method to construct the Key Id. I’ve copy pasted the
method below:
public static String createKeyId(Key key) {
try {
return
Base64Url.encode(MessageDigest.getInstance(DEFAULT_MESSAGE_DIGEST).digest(key.getEncoded()));
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
}
I don’t see a way to specify the Key Id value to use in the Keycloak adapter’s JSON
configuration file. Instead it appears that when we build out the JWKS file we need to use
the above logic to populate the Key Id value. Is this true? Or do we need an enhancement
for the Keycloak adapter to support a key id parameter/value in the configuration file.
Thanks in advance.
-sud