JWKs with signing alg but use equals "enc"

23 views
Skip to first unread message

Victor Nascimento

unread,
Oct 15, 2021, 8:50:54 AMOct 15
to Keycloak Dev
Hi lovely people!

I think there is a misinterpretation of the JWA specification currently on Keycloak. If you add an rsa-key provider with use "enc", you still have to choose an alg and there are only JWS algorithms (which is not enc use but sig use).

Both claims in a JWK are optional as I understand, but when present they must be the "intended". Here are the specifics from the spec:

https://datatracker.ietf.org/doc/html/rfc7517#section-4.2

>> The "use" (public key use) parameter identifies the intended use of the public key. The "use" parameter is employed to indicate whether a public key is used for encrypting data or verifying the signature on data.

https://datatracker.ietf.org/doc/html/rfc7517#section-4.4

>> The "alg" (algorithm) parameter identifies the algorithm intended for use with the key.

There are clients that will break with having alg as a JWS alg and use as enc.

Sorry if this has been reported before. I tried to find some relations about it but couldn't.

Kind regards,

乗松隆志 / NORIMATSU,TAKASHI

unread,
Nov 18, 2021, 3:28:54 PMNov 18
to keyclo...@googlegroups.com

Hello,

 

This issue has been resolved.

https://github.com/keycloak/keycloak/pull/8708

 

Regards,

Takashi Norimatsu

Hitachi, Ltd.

O conteúdo desta mensagem é confidencial e destinado exclusivamente aos destinatários. Caso a receba por engano, favor destruí-la e notificar o remetente de imediato. O correio eletrônico não configura meio seguro para transmissão de dados e o remetente NÃO se responsabiliza por eventual erro, atraso, extravio, interceptação ou infecção por vírus. Cabe ao destinatário solicitar versão física sempre que necessário.

 
The content of this message is confidential and was intended solely to its recipient. In case this message is received by mistake, please destroy it and notify the sender immediately. Electronic mails are not a safe channel for data transmission and the sender accepts NO liability for eventual errors, delays, loss, interception or virus infection. When necessary, the receiver must request a hard-copy version.

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/dd6d4748-b15e-493b-97b8-4c5369722589n%40googlegroups.com.

Reply all
Reply to author
Forward
0 new messages