KEYCLOAK-6768 Signed and Encrypted ID Token Support
This commit is contained in:
Takashi Norimatsu
Marek Posolda
parent
7f40c21851
commit
f8d6c3374c
1 changed files with 29 additions and 1 deletions
|
|
@ -164,7 +164,35 @@ The administrator can select the following three options:
|
|||
|
||||
Please see https://tools.ietf.org/html/rfc7636[RFC 7636 Proof Key for Code Exchange by OAuth Public Clients] for more details.
|
||||
|
||||
|
||||
[[_jwe-id-token-encryption]]
|
||||
*Signed and Encrypted ID Token Support*
|
||||
|
||||
{project_name} can encrypt ID token according to https://tools.ietf.org/html/rfc7516[Json Web Encryption (JWE)] specification. The administrator can determine whether encrypting ID token or not per client. This feature is disabled as default.
|
||||
|
||||
The key for encrypting ID token is called Content Encryption Key (CEK). {project_name} and a client need to negotiate which CEK is used and how to deliver it. The way to do so is called Key Management Mode.
|
||||
|
||||
JWE specification determines 5 types of Key Management Mode. {project_name} supports Key Encryption among them.
|
||||
|
||||
In Key Encryption, the client generates a key pair of asymmetric cryptography. The public key is used to encrypt CEK. {project_name} generates CEK per ID token, encrypts the ID token by this generated CEK and encrypts this CEK by this client's public key. The client decrypts this encrypted CEK by their private key, and decrypt the ID token by decrypted CEK. Therefore, any party other than the client is not able to decrypt ID token.
|
||||
|
||||
The client needs to pass their public key for encrypting CEK onto {project_name}. {project_name} supports downloading public keys from the URL the client provides. The client needs to provide their public keys according to https://tools.ietf.org/html/rfc7517[Json Web Keys (JWK)] specification. The way to do so is defined in `Signed JWT` of <<_client-credentials, Confidential Client Credentials>>. The detailed procedure is as follows:
|
||||
|
||||
* open the client's `Credentials` tab
|
||||
* select `Signed Jwt` from `Client Authenticator` pulldown menu
|
||||
* set ON to `JWKS URL` switch
|
||||
* input the client's public key providing URL on `JWKS URL` textbox
|
||||
|
||||
Key Encryption's algorithms are defined in https://tools.ietf.org/html/rfc7518#section-4.1[Json Web Algorithm (JWA)] specification. {project_name} supports RSAES-PKCS1-v1_5(RSA1_5) and RSAES OAEP using default parameters (RSA-OAEP). The detailed procedure to select this algorithm is as follows:
|
||||
|
||||
* open the client's `Settings` tab
|
||||
* open `Advanced Settings`
|
||||
* select `RSA1_5` or `RSA-OAEP` from `ID Token Encryption Key Management Algorithm` pulldown menu
|
||||
|
||||
ID token encryption algorithms by CEK are also defined in https://tools.ietf.org/html/rfc7518#section-5.1[JWA] specification. {project_name} supports AES_128_CBC_HMAC_SHA_256 authenticated encryption (A128CBC-HS256) and AES GCM using 128-bit key (A128GCM). The detailed procedure to select this algorithm is as follows:
|
||||
|
||||
* open the client's `Settings` tab
|
||||
* open `Advanced Settings`
|
||||
* select `A128CBC-HS256` or `A128GCM` from `ID Token Encryption Content Encryption Algorithm` pulldown menu
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue