[keycloak-dev] OIDC external provider's multiple signing keys are causing signature validation errors

Marek Posolda mposolda at redhat.com
Thu Sep 1 04:42:27 EDT 2016


could you please create JIRA for it and mark component as "Specification 
- OIDC" ?

I agree the current behaviour has space for improvements. There is also 
one related performance issue as currently we "compute" the PublicKey 
from PEM during each login of federated user. Same goes for client 
authentication with signed JWT. I think we should have some 
"PublicKeyCacheProvider" of public keys, which will be used by both 
IdentityProviders and Clients. Also we should be able to "retrieve" new 
keys from "jwks_uri" on demand when key with corresponding "kid" is not 
found (currently we do it always just when IdentityProvider config is 
imported, or when OIDC client is registered).


On 01/09/16 09:38, Peter Nalyvayko wrote:
> Hello,
> I have an external OIDC provider that uses multiple signing keys to 
> sign the id_tokens it issues.
> According to the OIDC spec 
> (https://openid.net/specs/openid-connect-discovery-1_0.html), 
> "jwks_uri" is an "URL of the OP's JSON Web Key Set. The set contains 
> the signing key(s) that RP uses to validate signature from the OP".
> Now, there is only a single validating public key  shown on the OIDC 
> external provider configuration page. When importing OIDC provider 
> configuration using OIDC provider metadata uri, keycloak picks the 
> first JWK which "use" parameter value is set to "sig". In my case, all 
> JWKs in the JWK Set have their "use" member set to "sig". I took a 
> cursory look at the JWKS spec 
> (https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41#section-4.2) 
> and based on what I've read it seems there could be more than one key 
> with the same "use" parameter. Shouldn't keycloak store all signing 
> keys instead of just one, and use the value of the "kid" parameter 
> from the provider's auth response to choose a corresponding public key 
> to do the validation?
> Regards,
> --Peter
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160901/61e301a0/attachment.html 

More information about the keycloak-dev mailing list