[keycloak-dev] JWK

Stian Thorgersen stian at redhat.com
Thu Mar 12 10:56:24 EDT 2015



----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: "Stian Thorgersen" <stian at redhat.com>
> Cc: keycloak-dev at lists.jboss.org
> Sent: Thursday, 12 March, 2015 3:50:39 PM
> Subject: Re: [keycloak-dev] JWK
> 
> JWK shouldn't be transmitted with ID Token and/or access token by
> default is what I mean.  If I remember the specs correctly.  Bloats the
> tokens and requires more parsing time.

That's how we sign the access token isn't it? Is there an option to include it in the token itself?

> 
> On 3/12/2015 10:45 AM, Stian Thorgersen wrote:
> > It's required by OpenID Connect Discovery and is useful to 3rd party
> > libraries, we'll need it to pass OIDC interoperability.
> >
> > Why should it not be enabled by default? It's just the public realm key in
> > a reusable json format.
> >
> > We should have used JWK in keycloak.json files as well.
> >
> > ----- Original Message -----
> >> From: "Bill Burke" <bburke at redhat.com>
> >> To: keycloak-dev at lists.jboss.org
> >> Sent: Thursday, 12 March, 2015 2:17:10 PM
> >> Subject: [keycloak-dev] JWK
> >>
> >> Not sure why we have JWK support and I hope it is not on by default.
> >> JWK is really only useful in the case where the client needs to identify
> >> the key needed to use to decrypt or validate an ID token/access token.
> >> In our implementation we do not have the ability to have different
> >> signers.  This knowledge is expected to be provided in configuration.
> >> --
> >> Bill Burke
> >> JBoss, a division of Red Hat
> >> http://bill.burkecentral.com
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> 
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> 


More information about the keycloak-dev mailing list