[keycloak-dev] Keep client private keys in Keycloak DB?

Stian Thorgersen stian at redhat.com
Tue Aug 11 05:26:01 EDT 2015


----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 11 August, 2015 10:55:09 AM
> Subject: [keycloak-dev] Keep client private keys in Keycloak DB?
> 
> For the client authentication with signed JWT, I am wondering if we
> should keep client private key in Keycloak DB?
> 
> TBH I am more keen to not keep the copies, but just the certificate with
> public key, so the private key is owned exclusively by client and saved
> just on client side. Looks better to me from security perspective and
> that's how Google is doing it -
> https://developers.google.com/identity/protocols/OAuth2ServiceAccount .

+1 The private key shouldn't even be sent to the server

> 
> But now I notice that for the SAML clients, we keep the private keys in
> Keycloak DB (the private key for sign SAML requests or the private key,
> which client needs to verify SAML assertions encrypted by it's public
> key). Is it ok from the security perspective?

Do we need the private keys for SAML clients? If not my vote is that we do the same as what you suggest above for openid

> 
> Marek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> 


More information about the keycloak-dev mailing list