[keycloak-dev] JWS signatures using PS256 or ES256 algorithms for signing

Marek Posolda mposolda at redhat.com
Tue Jun 26 04:59:58 EDT 2018


On 30/05/18 09:35, Stian Thorgersen wrote:
>> I think it might be better to determine which kind of Token Signature
>> Provider be used by not parsing JWS, for example, looking up Client or
>> Realm settings.
>> This PR might have impacts on keycloak's performance because it has parsed
>> JWS to determine it every time keycloak receives JWS Token.
>>
> On the server-side that is easy. On the adapter side that would probably
> require adding a property to keycloak.json to set the algorithm. In either
> case it should probably default to RSA for existing realms at least, but we
> could consider setting it to ES256 for new realms.
>
+1

Parsing token signature to determine algorithm should be avoided IMO. 
AFAIR Some OAuth/OIDC vendors had security issues in the past, that they 
parsed the header with "none" algorithm and then client applications 
automatically trust unsigned tokens. We should make sure this is not 
possible.

Marek



More information about the keycloak-dev mailing list