libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

KEYCLOAK-13104 Signed and Encrypted ID Token Support : AES 192bit and 256bit key support

Browse source
This commit is contained in:
Takashi Norimatsu 2020-03-03 15:47:05 +09:00 committed by Marek Posolda
parent 941daa4e0f
commit 067ff33d26
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
server_admin/topics/clients/client-oidc.adoc
View file

@ -166,7 +166,7 @@ Please see https://tools.ietf.org/html/rfc7636[RFC 7636 Proof Key for Code Excha
[[_jwe-id-token-encryption]] [[_jwe-id-token-encryption]]
*Signed and Encrypted ID Token Support* *Signed and Encrypted ID Token Support*
{project_name} can encrypt ID token according to https://tools.ietf.org/html/rfc7516[Json Web Encryption (JWE)] specification. The administrator can determine whether encrypting ID token or not per client. This feature is disabled as default. {project_name} can encrypt ID token according to the https://tools.ietf.org/html/rfc7516[Json Web Encryption (JWE)] specification. The administrator can determine whether encrypting ID token or not per client. This feature is disabled as default.
The key for encrypting ID token is called Content Encryption Key (CEK). {project_name} and a client need to negotiate which CEK is used and how to deliver it. The way to do so is called Key Management Mode. The key for encrypting ID token is called Content Encryption Key (CEK). {project_name} and a client need to negotiate which CEK is used and how to deliver it. The way to do so is called Key Management Mode.
@ -181,17 +181,17 @@ The client needs to pass their public key for encrypting CEK onto {project_name}
* set ON to `JWKS URL` switch * set ON to `JWKS URL` switch
* input the client's public key providing URL on `JWKS URL` textbox * input the client's public key providing URL on `JWKS URL` textbox
Key Encryption's algorithms are defined in https://tools.ietf.org/html/rfc7518#section-4.1[Json Web Algorithm (JWA)] specification. {project_name} supports RSAES-PKCS1-v1_5(RSA1_5) and RSAES OAEP using default parameters (RSA-OAEP). The detailed procedure to select this algorithm is as follows: Key Encryption's algorithms are defined in the https://tools.ietf.org/html/rfc7518#section-4.1[Json Web Algorithm (JWA)] specification. {project_name} supports RSAES-PKCS1-v1_5(RSA1_5) and RSAES OAEP using default parameters (RSA-OAEP). The detailed procedure to select this algorithm is as follows:
* open the client's `Settings` tab * open the client's `Settings` tab
* open `Advanced Settings` * open `Advanced Settings`
* select `RSA1_5` or `RSA-OAEP` from `ID Token Encryption Key Management Algorithm` pulldown menu * select `RSA1_5` or `RSA-OAEP` from `ID Token Encryption Key Management Algorithm` pulldown menu
ID token encryption algorithms by CEK are also defined in https://tools.ietf.org/html/rfc7518#section-5.1[JWA] specification. {project_name} supports AES_128_CBC_HMAC_SHA_256 authenticated encryption (A128CBC-HS256) and AES GCM using 128-bit key (A128GCM). The detailed procedure to select this algorithm is as follows: ID token encryption algorithms by CEK are also defined in the https://tools.ietf.org/html/rfc7518#section-5.1[JWA] specification. {project_name} supports AES_CBC_HMAC_SHA2 algorithms and AES GCM algorithms. The detailed procedure to select this algorithm is as follows:
* open the client's `Settings` tab * open the client's `Settings` tab
* open `Advanced Settings` * open `Advanced Settings`
* select `A128CBC-HS256` or `A128GCM` from `ID Token Encryption Content Encryption Algorithm` pulldown menu * select the algorithm from `ID Token Encryption Content Encryption Algorithm` pulldown menu