[keycloak-dev] Configurable signature algorithms

Jan Lieskovsky jlieskov at redhat.com
Wed Aug 22 03:23:20 EDT 2018 

Per this explanation
<https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/> the
id_token is meant for the specific client only (is signed with a secret
that is
known to that client). On the other hand (from that article), the API /
access_token can be of any type
(not necessarily a JWT based one), and it is expected to have audience set
to API's unique identifier.

To me this sounds, like certain clients might want to choose just some
specific algorithm to share
the secret known to them with the frontend. Something like choosing
specific protocol version
(TLS v1.0, TLS v1.1, TLS v1.2 etc.) in the case of SSL/TLS connections. It
might be possible some
clients wouldn't support all signature algorithms supported / implemented
by Keycloak server. So having
id_token / access_token signature algorithms configurable, would allow them
to choose the one, they
are able to communicate under. I agree that in majority of the cases, the
algorithms in both cases would
be the same. But having the option to specify different algorithms for id
and access tokens, looks to me
more clients might be able to connect / use the services, compared with the
case when just one identical
algorithm would be enforced / used for both type of tokens.


On Wed, Aug 22, 2018 at 8:45 AM, Stian Thorgersen <sthorger at redhat.com>
wrote:

> The use-case for separate is if the front-end app that is using id token
> uses one algorithm, while back-ends who are using the access token expects
> a different algorithm. Now, the question is how likely is that.
>
> On Wed, 22 Aug 2018, 03:55 Sebastian Laskawiec, <slaskawi at redhat.com>
> wrote:
>
> > Setting them separately seems more flexible to me. On the other hand, it
> > is hard for me to imagine a use case where a client would use two
> different
> > signature algorithms...
> >
> > +1 for having two separate options. We can always set them equal in the
> > Admin Console if we wish.
> >
> > On Wed, Aug 22, 2018 at 2:12 AM Stian Thorgersen <sthorger at redhat.com>
> > wrote:
> >
> >> Currently, Keycloak always use RS256 both for access tokens and id
> tokens.
> >> We're working on introducing support for more algorithms and the ability
> >> to
> >> change the default for a realm and also for a client.
> >>
> >> Now the question is should have we two options one for access token and
> >> another for ID token. Or just one for both?
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list