[keycloak-dev] Keep client private keys in Keycloak DB?

Stian Thorgersen stian at redhat.com
Tue Aug 11 07:19:51 EDT 2015



----- Original Message -----
> From: "Marek Posolda" <mposolda at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Tuesday, 11 August, 2015 12:48:16 PM
> Subject: Re: [keycloak-dev] Keep client private keys in Keycloak DB?
> 
> On 11.8.2015 11:26, Stian Thorgersen wrote:
> > ----- Original Message -----
> >> From: "Marek Posolda" <mposolda at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Tuesday, 11 August, 2015 10:55:09 AM
> >> Subject: [keycloak-dev] Keep client private keys in Keycloak DB?
> >>
> >> For the client authentication with signed JWT, I am wondering if we
> >> should keep client private key in Keycloak DB?
> >>
> >> TBH I am more keen to not keep the copies, but just the certificate with
> >> public key, so the private key is owned exclusively by client and saved
> >> just on client side. Looks better to me from security perspective and
> >> that's how Google is doing it -
> >> https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
> > +1 The private key shouldn't even be sent to the server
> >
> >> But now I notice that for the SAML clients, we keep the private keys in
> >> Keycloak DB (the private key for sign SAML requests or the private key,
> >> which client needs to verify SAML assertions encrypted by it's public
> >> key). Is it ok from the security perspective?
> > Do we need the private keys for SAML clients? If not my vote is that we do
> > the same as what you suggest above for openid
> I think not (Bill can correct me ). For SAML, there are 2 usecases when
> private key is needed just by client and server needs just
> certificate+publicKey:
> 1) SAMLRequest is signed by client and keycloak needs to verify it with
> the client public key
> 2) SAML Assertion is signed by Keycloak by client public key, so client
> can decrypt by it's private key
> 
> Actually you can either generate keys by Keycloak or import the
> certificate for SAML client. If you just upload the certificate, the
> private key is not stored on Keycloak side, that looks ok to me. But if
> you generate them, keycloak stores private key in DB and you can later
> export it to keystore (JKS or PKCS12).
> 
> For signed JWT, I would like to support generate public/private keypair
> by Keycloak as well, but not store the private key in DB. So key will be
> generated and downloaded in same request and client will just have
> possibility to choose the format (JKS, PKCS12 or PEM text)

+1 If someone has lost the private key, they should generate a new one, not fetch the old one from KC

> 
> Marek
> >
> >> Marek
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> 


More information about the keycloak-dev mailing list