[keycloak-user] OpenID Connect support
Bill Burke
bburke at redhat.com
Thu Oct 30 16:58:57 EDT 2014
Ivan, btw, looking at the library you are using, validation of the ID
token is optional.
On 10/30/2014 4:15 PM, Raghuram wrote:
> I tested with libraries based on Apache Oltu and even I noticed that realm name is being sent in the Idtoken under "iss". "aud" is null when I included multiple redirect Uris which is breaking the validation (as per openid spec). "azp" is not being sent (it is optional unless more than 1 client is registered) - expect that to be sent once I register two clients.
>
"aud" has been fixed in master.
"iss" still is the realm name. This is just a unique identifier for the
realm. And there is nothing in the spec that I could find that states
that it must match the token endpoint URL. It just has to be a URL that
uniquely identifies the issuer. It is something that is configured, or,
found during OIDC discovery.
"AZP
Your interpretation of AZP is not my interpretation of AZP. #1. AZP is
optional, we don't have to include it at all. #2 It would only have the
value of the client that requested the token. In Keycloak, ID Tokens
are generated and only given to one audience.
> Used /account for userinfo end point that didn't work. Will provide more feedback as I continue to test
>
As I said before, we do not support userinfo yet. Our access tokens are
Json Web Signatures signed by the realm and the content is an extended
version of ID Tokens that contains additional keycloak metadata.
> Fyi -My libraries were tested completely against a server implementation based on Mitre's open Id connect and they are good.
>
It's on the roadmap to expand our OIDC support beyond the minimal
requirements and to validate it against other implementations. Just
haven't gotten to it yet.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the keycloak-user
mailing list