Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: KEYCLOAK-6770 JWS signatures using PS256 or ES256 algorithms #5225

wants to merge 2 commits into from

WIP: KEYCLOAK-6770 JWS signatures using PS256 or ES256 algorithms #5225

wants to merge 2 commits into from


Copy link

@tnorimat tnorimat commented May 25, 2018

This PR is a trial implementation for supporting ES256 and RS256 JWS signature algorithm for tokens.

[supported signature algorithm]

  • Only ES256 and RS256 are supported
  • RS256 is used as default

[to whom selected signature algorithm can be adopted]

  • per Client

[how to specify a signature algorithm and its using keys]

  • On Admin UI
    • key management : -> Keys -> All -> add provider (ecdsa-generated)
    • signature algorithm : -> Clients -> -> Settings -> Fine Grain OIDC Client Settings -> ID Token Signature Algorithm (ES256)
  • OIDC Dynamic Client Registration

[tokens signed by specified signature algorithm]

  • ID Token, Access Token and Refresh Token(Offline Token) issued in all OAuth 2.0 Grant/OICD Flow
    The followings are out of scope now.
    • UMA related tickets/permissions/tokens
    • OIDC Request Object
    • OIDC User Info
    • Tokens related to OIDC Dynamic Client Registration (Initial Access Token, Registration Access Token, etc...)
    • JWS Client Assertion
    • Tokens exchanged in Token Exchange
    • Tokens exchanged in Identity Brokering
    • Tokens used for event notification from keycloak to client

[when and where tokens signed by specified signature algorithm are verified]

  • when token refresh on Token Endpoint
  • when token introspection on Token Introspection Endpoint
  • when retrieving UserInfo on UserInfo Endpoint
  • when tokens being received on a Client using Wilfly/JBoss EAP Client Adapter

[advertising server capability]

  • advertising ES256 support by Server Metadata


  • not considered impacts on performance
  • arquillian integration test are also implemented and tested
@stianst stianst requested review from mposolda and stianst May 30, 2018
@stianst stianst self-assigned this May 30, 2018
Copy link
Contributor Author

@tnorimat tnorimat commented Aug 2, 2018

closed this PR due to ECDSA support being implemented in the follwing PR.


@tnorimat tnorimat closed this Aug 2, 2018
@tnorimat tnorimat deleted the wip-jws-ecdsa branch Sep 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants