[keycloak-dev] KEYCLOAK_IDENTITY encoding choose between HMAC and RSA

[Christian Battaglia]

"encodeToken" method from
"services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
" specifically uses hmac256 for its encoding and I get that this is done
for speed but I would argue that this should be a choice in the
configuration.

So my use case sort of breaks outside the walls of Keycloak but I think
this would be a great point to extend. I would like to make use of this JWT
on the NGINX network layer to cryptographically verify against the RSA
public key found at
"/auth/realms/<realm-name>/.well-known/openid-configuration".

This would be sort of a broad level scope authentication used for things
like CDN assets.

I get this looks kind of nasty as far as security concerns but how else
could I include a cookie for a specific client purpose and at a specific
subdomain without first adding in a minimal client frontend with the
Keycloak js iframe check that then adds a cookie for that domain and then
redirects them back to the URL? It seems kind of dumb this couldn't be done
on a realm wide level.

Thoughts?

- Christian