NIST IR 8587 (Initial Public Draft) analysis
19 views
Skip to first unread message
Sebastian Łaskawiec
Jan 21, 2026, 6:18:36 AMJan 21
to Keycloak Dev
Dear Keycloak Maintainers and Community,
I'm analyzing the "Protecting Tokens and Assertions from Forgery, Theft, and Misuse: Implementation Recommendations for Agencies and Cloud Service Providers" draft from NIST [1] and wanted to share some suggestions after performing a gap analysis against Keycloak.
1. The document suggests using an automatic Token (Realm) Signing Key rotation. Keycloak backlog seems to already contain a ticket that captures very similar requirements: https://github.com/keycloak/keycloak/issues/11693
2. The document suggests providing a mechanism to revoke specific Tokens. Keycloak seems to conceptually handle this through sessions, which seems enough to satisfy the requirements. However the spec suggests providing Token Status List [2]. I wonder if we ever considered implementing this standard in Keycloak?
Apart from the first point (but this can be automated extnerally - Keycloak exposes APIs to do it) mentioned the above, I believe Keycloak provides all the necessary building blocks for the new emerging standard.
Thanks.
1. The document suggests using an automatic Token (Realm) Signing Key rotation. Keycloak backlog seems to already contain a ticket that captures very similar requirements: https://github.com/keycloak/keycloak/issues/11693
2. The document suggests providing a mechanism to revoke specific Tokens. Keycloak seems to conceptually handle this through sessions, which seems enough to satisfy the requirements. However the spec suggests providing Token Status List [2]. I wonder if we ever considered implementing this standard in Keycloak?
Apart from the first point (but this can be automated extnerally - Keycloak exposes APIs to do it) mentioned the above, I believe Keycloak provides all the necessary building blocks for the new emerging standard.
Thanks.
Sebastian
Sebastian Łaskawiec
Jan 21, 2026, 6:42:36 AMJan 21
to Keycloak Dev
I have just realized that (1) already has a Pull Request: https://github.com/keycloak/keycloak/pull/45091
Alexander Schwartz
Feb 15, 2026, 4:33:06 PMFeb 15
to Sebastian Łaskawiec, Keycloak Dev
Hello Sebastian,
I've just now commented on the PR about key rotation.
The other items might be best handled in Keycloak's OIDC working group.
Some thoughts in advance:
- For Keycloak, you can end sessions and also revoke single tokens. Keeping a full history of tokens would need a lot of storage IMHO ...
- There are ideas to support shared signals, which would allow publishing ended sessions to interested subscribers: https://github.com/keycloak/keycloak/pull/43950
- There is also backchannel-logout, which works well on logouts, but not so well on timed out sessions. Does that help in its current state, or would it need enhancement?
There is also backchannel logout
Best
Alexander
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/keycloak-dev/CADP5VTUpP92CX_unP6GfHZFxkcjAnFa_p%3Ddo%3DiYmGaUS72UuBg%40mail.gmail.com.
Alexander Schwartz, RHCE
He/Him
Principal Software Engineer, Keycloak Maintainer
IBM Deutschland Research & Development GmbH
Vorsitzender des Aufsichtsrats: Wolfgang Wendt
Geschäftsführung: David Faller
Sitz der Gesellschaft: Böblingen / Registergericht: Amtsgericht Stuttgart, HRB 243294
Sebastian Łaskawiec
Feb 16, 2026, 2:47:11 AMFeb 16
to Alexander Schwartz, Keycloak Dev
Thanks a million Alexander!
I'll definitely allocate a bit of time to review this PR this week.
I'll definitely allocate a bit of time to review this PR this week.
Reply all
Reply to author
Forward
0 new messages