Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-11251

ES256 or PS256 support for Client Authentication by Signed JWT

    XMLWordPrintable

Details

    • NEW
    • NEW

    Description

      Keycloak has already supported Signed JWT (aka private_key_jwt in OIDC core) for Client Authentication.

      However, the current keycloak (7.0.0) only support RS256 for this Signed JWT, not ES256 or PS256.

      This feature is needed to pass Conformance Tests for Certified Financial-grade API (FAPI) OpenID Providers by OpenID Foundation.

      Also, it needs to specify which signature algorithms are accepted because we need to consider that FAPI-RW-ID2 [8.6. JWS algorithm considerations](https://openid.net/specs/openid-financial-api-part-2-ID2.html#jws-algorithm-considerations) 1 states that at least ES256 or PS256 shall be supported in private_key_jwt so that we need the configuration of only ES256 or PS256 is accepted.

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              tnorimat Takashi Norimatsu (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: