Re: [keycloak-user] Speed up token generation by HMAC or EC-signing
We have JIRA for elliptic curves, but didn't yet came into it.
For signing tokens by HMAC, there is no plan for it AFAIK. It is not
great to sign accessTokens and idTokens by HMAC anyway since the
applications will need to have access to realm signing key. As it is
symmetric stuff. This can be security hole as then the application can
generate and sign tokens by itself. Hence we rather rely on the
asymetric cryptography - Keycloak signs tokens with private key and
application has just public key to verify signatures.
We just have JIRA for support HMAC signed refresh tokens - this is ok as
those refresh tokens are just opaque string for the the application.
Application doesn't need to verify signatures on them.
Marek
On 30/05/17 14:34, Matuszak, Eduard wrote:
Hello
Since version 2.5 it is possible to choose other signing mechanism than RSA in the
realm-administration. To enhance performance, I tried out to induce keycloak to use HMAC
for token signing, but it seems, that this does not work: HMAC is ignored despite the
priority settings and login will even fail, if HMAC key is the only active/enabled key. It
would be nice (and esssential for our purposes for performance issues) to be able to
change the signature algorithms and if elliptic curves would be provided as a fast
asymmetric alternative to RSA as well. Is this projected for a near-future version?
Best regards, Eduard Matuszak
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user