NIST IR 8587 (Initial Public Draft) analysis

[Sebastian Łaskawiec]

Dear Keycloak Maintainers and Community,

I'm analyzing the "Protecting Tokens and Assertions from Forgery, Theft, and Misuse: Implementation Recommendations for Agencies and Cloud Service Providers" draft from NIST [1] and wanted to share some suggestions after performing a gap analysis against Keycloak.

1. The document suggests using an automatic Token (Realm) Signing Key rotation. Keycloak backlog seems to already contain a ticket that captures very similar requirements: https://github.com/keycloak/keycloak/issues/11693

2. The document suggests providing a mechanism to revoke specific Tokens. Keycloak seems to conceptually handle this through sessions, which seems enough to satisfy the requirements. However the spec suggests providing Token Status List [2]. I wonder if we ever considered implementing this standard in Keycloak?

Apart from the first point (but this can be automated extnerally - Keycloak exposes APIs to do it) mentioned the above, I believe Keycloak provides all the necessary building blocks for the new emerging standard. 

Thanks.

Sebastian

[1] https://csrc.nist.gov/pubs/ir/8587/ipd

[2] https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/

[Sebastian Łaskawiec]

I have just realized that (1) already has a Pull Request: https://github.com/keycloak/keycloak/pull/45091