[KEYCLOAK-11251] ES256 or PS256 support for Client Authentication by Signed JWT - Red Hat Issue Tracker

XML

Word

Printable

Details

Type: Feature Request
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 8.0.0
Component/s: OIDC
Labels:
- release-note-item
- release-notes

Epic Link:
FAPI
Docs QE Status:
NEW
QE Status:
NEW

Description

Keycloak has already supported Signed JWT (aka private_key_jwt in OIDC core) for Client Authentication.

However, the current keycloak (7.0.0) only support RS256 for this Signed JWT, not ES256 or PS256.

This feature is needed to pass Conformance Tests for Certified Financial-grade API (FAPI) OpenID Providers by OpenID Foundation.

Also, it needs to specify which signature algorithms are accepted because we need to consider that FAPI-RW-ID2 [8.6. JWS algorithm considerations](https://openid.net/specs/openid-financial-api-part-2-ID2.html#jws-algorithm-considerations) 1 states that at least ES256 or PS256 shall be supported in private_key_jwt so that we need the configuration of only ES256 or PS256 is accepted.

Attachments

Issue Links

relates to

KEYCLOAK-10332 Pass All Conformance Tests for FAPI R/W OP w/ MTLS

Closed

KEYCLOAK-10333 Pass All Conformance Tests for FAPI R/W OP w/ Private Key

Closed

KEYCLOAK-10331 Pass All Conformance Tests for FAPI OpenID testsuite after Keycloak 15

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Takashi Norimatsu (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2019/09/02 9:51 PM

Updated:: 2021/10/24 5:54 AM

Resolved:: 2019/10/24 11:59 AM