Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-10462

Improve support for setting keys for OIDC clients




      This is follow-up on adding encrypted ID Tokens support - KEYCLOAK-6768 .

      In recent Keycloak version, we have support for Encrypted OIDC ID Tokens. It will be good to add better support to admin console to be able to specify the client's public key, which will be used to encrypt the assertion, so that client can decrypt the particular assertion with it's private key. The only way to do this is to specify JWKS URL of the client, but to enable it, you need to configure client credentials of type "Signed JWT" even if you don't want this credential to authenticate client. And there is no way to hardcode the public key for token's encryption at this moment. So to better support we may need to:

      • Introduce new tab "OIDC Keys" or "Keys" to the OIDC clients. If we introduce tab "Keys", we may need to rename tab "SAML Keys" for SAML client, to have OIDC and SAML clients consistent.
      • This new tab will allow to have switch "Use JWKS URL". If switch is ON, it will allow to configure JWKS URL. If switch is OFF, there will be a possibility to hardcode (manually configure) client keys used for SIG and ENC similarly like it is currently in the "Credentials -> Signed JWT".
      • In the tab "Credentials -> Signed JWT", there will be just info that you need to configure JWKS URL or Signing key in the tab "Keys" - so no
        configuration options on this page. Similarly the tooltips for the options for encrypted ID Token support will contain the tooltip, that you should configure JWKS URL or "hardcode" encryption key in the tab "Keys" .

      See the mailing list discussion for the details:


        Issue Links



              Unassigned Unassigned
              mposolda@redhat.com Marek Posolda
              3 Vote for this issue
              8 Start watching this issue