[keycloak-user] token endpoint auth signing alg values supported

乗松隆志 / NORIMATSU,TAKASHI takashi.norimatsu.ws at hitachi.com
Wed Nov 20 03:07:37 EST 2019


Hello,

>From keycloak-8.0.0, keycloak supports RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512 for signed JWT by Client.

AFAIK, if you want to use the algorithm other than RS256, the client needs to set up the endpoint providing the public key needed to verify the signed JWT by this client.
Also the format of this public key needs to be JWK.

It might be worked as follows :

1. login admin console

2. open Clients->(your client)->Credentials tab

3. set Use JWKS URL : ON

4. set JWKS URL : URL to which the keycloak can download your client's public key

There are some ways that the keycloak retrieves the client's public key.
https://www.keycloak.org/docs/latest/server_admin/index.html#_client-credentials

1. generate the key and certificate
2. import the certificate
3. register the endpoint providing the public key needed to verify the signed JWT by this client.

AFAIK, 3 supports the use of the algorithm other than RS256. But I'm not sure whether 1 and 2 also support the use of the algorithm other than RS256.

Regards,

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Tom Billiet
Sent: Wednesday, November 20, 2019 4:53 PM
To: Dingwell, Robert A. <bobd at mitre.org>; keycloak-user at lists.jboss.org
Subject: [!]Re: [keycloak-user] token endpoint auth signing alg values supported

Some things just got added, but it's not fully clear to me on which places exactly: https://clicktime.symantec.com/3CAZDSrkYbDFigHBzTUyQF57Vc?u=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-11251

Tom

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Dingwell, Robert A.
Sent: Tuesday, 19 November 2019 18:50
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] token endpoint auth signing alg values supported

Hi,

I from looking at the configuration endpoint I see that the only value in the token_endpoint_auth_signing_alg_values_supported field is RS256.  Is keycloak configurable to support other algorithms?  I’m looking for RS384 in particular to align with a specification that I am working off of.

Thanks

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://clicktime.symantec.com/3XHrWANQ3GpimdXLNgd1iDN7Vc?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user
Information in this email including any attachments may be privileged, confidential and is intended exclusively for the addressee. The views expressed may not be official policy, but the personal views of the originator. If you have received it in error, please notify the sender by return e-mail and delete it from your system. You should not reproduce, distribute, store, retransmit, use or disclose its contents to anyone.


This message has been scanned for malware by Websense. https://clicktime.symantec.com/3UNwjyr4NAkeMpkUbvYj3rn7Vc?u=www.websense.com

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://clicktime.symantec.com/3XHrWANQ3GpimdXLNgd1iDN7Vc?u=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user



More information about the keycloak-user mailing list