[keycloak-dev] KEYCLOAK_IDENTITY encoding choose between HMAC and RSA
Stian Thorgersen
sthorger at redhat.com
Mon Jul 16 09:00:50 EDT 2018
The identity cookie should only be used by Keycloak to check if the user
has a session. It's not a generic cookie that should be used in NGINX to
check what permissions a user has to different applications.
On Mon, 2 Jul 2018 at 21:18, Christian Battaglia <
christian.d.battaglia at gmail.com> wrote:
> "encodeToken" method from
>
> "services/src/main/java/org/keycloak/services/managers/AuthenticationManager.java
> " specifically uses hmac256 for its encoding and I get that this is done
> for speed but I would argue that this should be a choice in the
> configuration.
>
> So my use case sort of breaks outside the walls of Keycloak but I think
> this would be a great point to extend. I would like to make use of this JWT
> on the NGINX network layer to cryptographically verify against the RSA
> public key found at
> "/auth/realms/<realm-name>/.well-known/openid-configuration".
>
> This would be sort of a broad level scope authentication used for things
> like CDN assets.
>
> I get this looks kind of nasty as far as security concerns but how else
> could I include a cookie for a specific client purpose and at a specific
> subdomain without first adding in a minimal client frontend with the
> Keycloak js iframe check that then adds a cookie for that domain and then
> redirects them back to the URL? It seems kind of dumb this couldn't be done
> on a realm wide level.
>
> Thoughts?
>
> - Christian
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-dev
mailing list