[keycloak-user] OpenID Connect support

[Bill Burke]

Ivan, btw, looking at the library you are using, validation of the ID 
token is optional.

On 10/30/2014 4:15 PM, Raghuram wrote:
> I tested with libraries based on Apache Oltu and even I noticed that realm name is being sent in the Idtoken under "iss". "aud" is null when I included multiple redirect Uris which is breaking the validation (as per openid spec). "azp" is not being sent (it is optional unless more than 1 client is registered) - expect that to be sent once I register two clients.
>
"aud" has been fixed in master.

"iss" still is the realm name.  This is just a unique identifier for the 
realm.  And there is nothing in the spec that I could find that states 
that it must match the token endpoint URL.  It just has to be a URL that 
uniquely identifies the issuer.  It is something that is configured, or, 
found during OIDC discovery.

"AZP
Your interpretation of AZP is not my interpretation of AZP.  #1.  AZP is 
optional, we don't have to include it at all.  #2 It would only have the 
value of the client that requested the token.  In Keycloak, ID Tokens 
are generated and only given to one audience.


> Used /account for userinfo end point that didn't work. Will provide more feedback as I continue to test
>

As I said before, we do not support userinfo yet.  Our access tokens are 
Json Web Signatures signed by the realm and the content is an extended 
version of ID Tokens that contains additional keycloak metadata.

> Fyi -My libraries were tested completely against a server implementation based on Mitre's open Id connect and they are good.
>

It's on the roadmap to expand our OIDC support beyond the minimal 
requirements and to validate it against other implementations.  Just 
haven't gotten to it yet.


-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com