Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[KEYCLOAK-18630] - Request object encryption support #8243

Merged
merged 1 commit into from
Jul 9, 2021
Merged

[KEYCLOAK-18630] - Request object encryption support #8243

merged 1 commit into from
Jul 9, 2021

Conversation

pedroigor
Copy link
Contributor

@pedroigor pedroigor commented Jul 5, 2021
edited
Loading

Basically:

  • Enable request object encryption using asymmetric keys (only RSA for now) based on realm active keys intended for encryption use
  • When decrypting, key selection is based on either the kid or on the priority set for keys in case multiple ENC keys exist and no kid was set
  • Exposes keys for encryption use in JWKS
  • Enables both RSA-OAEP and RSA-OAEP-256 algorithms. As well as content encryption using A256GCM.
  • Changes TokenManager to deal with both JWS and JWE. It should make it easier to support encryption in other places where clients might send JWS/JWE.
  • Supports JWE and JWS+JWE.

I did not include yet any config option for clients like to force encryption for request objects or even force a specific alg/enc.

@pedroigor pedroigor requested a review from mposolda July 5, 2021 20:10
@pedroigor pedroigor force-pushed the KEYCLOAK-18630 branch 4 times, most recently from bacb773 to 77d98fd Compare July 6, 2021 12:49
@pedroigor pedroigor added area/oidc Indicates an issue on OIDC area kind/enhancement Categorizes a PR related to an enhancement labels Jul 6, 2021
@pedroigor pedroigor force-pushed the KEYCLOAK-18630 branch 2 times, most recently from 594b579 to 6e3c9d8 Compare July 6, 2021 18:43
mposolda
mposolda requested changes Jul 9, 2021
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pedroigor Thanks Pedro for the PR!

I've added two inline comments (possibly discussion points) to the PR.

services/src/main/java/org/keycloak/jose/jws/DefaultTokenManager.java Outdated Show resolved Hide resolved
services/src/main/java/org/keycloak/jose/jws/DefaultTokenManager.java Show resolved Hide resolved
mposolda
mposolda approved these changes Jul 9, 2021
View reviewed changes
Copy link
Contributor

@mposolda mposolda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pedroigor Thanks Pedro! I am approving. I hope we can merge once tests are passing.

@pedroigor pedroigor merged commit 1baab67 into keycloak:master Jul 9, 2021
@pedroigor pedroigor deleted the KEYCLOAK-18630 branch July 9, 2021 14:27
@pedroigor pedroigor mentioned this pull request Jul 13, 2021
Merged
@fbrissi fbrissi mentioned this pull request Oct 8, 2021
Merged
@fjuma fjuma mentioned this pull request Oct 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mposolda mposolda mposolda approved these changes

Assignees
No one assigned
Labels
area/oidc Indicates an issue on OIDC area kind/enhancement Categorizes a PR related to an enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pedroigor @mposolda