[keycloak-user] JSON Web Encryption

[Bill Burke]

We don't offer JWE.  IMO, JWE is only useful for bearer token requests 
involving untrusted clients or untrusted services.  In all other cases 
JWE would be redundant.  Why?  You should/must be using TLS to transmit 
bearer tokens and JWE is just double encryption and redundant.

Tokens are created and tailored per client, so you do have control on 
what goes into the created token on a per-client bases.  So you could 
strip the JWT of everything but subject and role bindings and have the 
target service use the user info endpoint if it needed other 
information.  I do think there are some things we solve the underlying 
reason of wanting JWE:

* A token exchange service so that clients with an existing token can 
exchange it for a "downgraded" token to invoke on a less-trusted 
service.  This is already implemented in master.

* opaque/simple "callback tokens" or "token references".  This would be 
an opaque string in which the bearer token service would have to ask the 
token introspection endpoint to validate the access token.  And call the 
user info service to obtain additional information.

* A global encryption method for JWT-based access tokens using JWE.  
Services would have to obtain a private shared key (PKI or HMAC secret) 
to decrypt the token.

* A per-client encryption method for JWT-based access tokens using JWE.  
This type of access token could only be used to invoke on a specific 
service and would be encrypted only for access on that service.  This 
case doesn't fall under the OAuth/OpenID Connect spec and would probably 
require a token exchange service.



On 8/10/17 11:49 AM, Simon Payne wrote:
> does keycloak offer access token encryption?
>
> so far i can only see that keycloak signs the JWT rather than encrypting
> the content.
>
> Thanks
>
> Simon.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user