Error “can not get encryption KEK” when trying to encrypt id token

25 views
Skip to first unread message

Jesse Pitkanen

unread,
Oct 8, 2021, 10:55:11 AMOct 8
to keyclo...@googlegroups.com
Hello,

Working on Brazilian OB requirements, got this:

I've a client registered on keycloak that uses JWKS URK as key (https://keystore.sandbox.directory.openbankingbrasil.org.br/8292c33e-d95a-5fe7-8f27-dd7a95c68b55/9b944914-5ca5-431a-b30f-8e2f5d9c46aa/application.jwks).

It's working correctly when doing authentication through my authorization endpoint (/auth). I send a encrypted request object to my authorization endpoint and it can decrypt and validate without problems and returns the code and id_token.

There's a new requirement to return an encrypted id_token instead of just base64 format, so I've set the options below on keycloak client at Fine Grain OpenID Connect Configuration section:

ID Token Signature Algorithm=PS256
ID Token Encryption Key Management Algorithm=RSA-OAEP
ID Token Encryption Content Encryption Algorithm=A256GCM
After set these properties, when trying to authenticate I'm receving the message "Unexpected error when handling authentication request to identity provider" and in the keycloak logs I can see the error "KC-SERVICES0013: Failed authentication: java.lang.RuntimeException: can not get encryption KEK"

I really don't know what's missing on my configuration or maybe on my JWKS file.

Regards!

Jesse J Pitkänen

乗松隆志 / NORIMATSU,TAKASHI

unread,
Oct 8, 2021, 6:19:10 PMOct 8
to Jesse Pitkanen, keyclo...@googlegroups.com

Hello Jesse,

 

Could you check the following two points?

 

1. key use field

To encrypt ID token by your client public key, you need to tell keycloak that the key is used for KEK (Key Encryption Key).

 

I have found that your key’s use field is

 

"use":"sig"

 

Could you change it as follows?

 

"use":"enc"

 

 

2. use JWKS URI client setting

To make keycloak get your public key, you need to ask keycloak to do so.

 

Login to keycloak as admin.

 

Move to the following page.

Clients -> [your app] -> Keys

 

Set the following switch to ON.

Use JWKS URL

 

Enter the URL through which you provide your keys to the following setting box.

JWKS URL

 

Regards,

Takashi Norimatsu

Hitachi, Ltd.

--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/keycloak-dev/CAOZXnhStgxrK31_7zagYO31Mu1wAc2B5QuQHq81%3DkJVCNpEKUA%40mail.gmail.com.

Ranieri Mazili de Oliveira

unread,
Oct 11, 2021, 8:57:17 AMOct 11
to Keycloak Dev
Hello Takashi, thanks for your help. I'm working with Jesse on this issue and I've tried to apply your solution but it didn't work yet, but I think we're close...

To have a JWKS with enc setted, I've made a copy of the original file and have duplicated the keys, replacing sig by enc.

Then I changed my client to use this file as you mentioned at step 2.

When running the test I see the following error on the logs:
2021-10-11 12:31:44,374 WARN  [org.keycloak.keys.infinispan.InfinispanPublicKeyStorageProvider] (default task-111) PublicKey wasn't found in the storage. Requested kid: 'null'. Available kids: '[TIP3MNUwy3RI3XU7d9F05NkYbiSwGVasssqg_nj2Bmk, 7dzPOnvHjVdQlYRTkC8BsGELIQ-D00jIBiyeJCcXkUQ]'
2021-10-11 12:31:44,374 WARN  [org.keycloak.services] (default task-111) KC-SERVICES0013: Failed authentication: java.lang.RuntimeException: can not get encryption KEK
at org.keycloak.jose.jws.DefaultTokenManager.getEncryptedToken(DefaultTokenManager.java:261)
at org.keycloak.jose.jws.DefaultTokenManager.encodeAndEncrypt(DefaultTokenManager.java:234)
at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.build(TokenManager.java:1102)
at org.keycloak.protocol.oidc.OIDCLoginProtocol.authenticated(OIDCLoginProtocol.java:263)
at org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:921)
at org.keycloak.services.managers.AuthenticationManager.redirectAfterSuccessfulFlow(AuthenticationManager.java:869)
at org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:1022)
at org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:1086)

Before add the enc keys, the available kids was an empty array, now it's listing my kids but the it's showing that the requested kid is null... where should send the requested kid for encryption?

乗松隆志 / NORIMATSU,TAKASHI

unread,
Oct 11, 2021, 7:36:42 PMOct 11
to Ranieri Mazili de Oliveira, Keycloak Dev
Hello Ranieri,

I've looked into InfinispanPublicKeyStorageProvider.java and its related classes.

Could you check the following two points?

1. key "alg" field
Here I assume that you used RSA-OAEP for encrypting CEK.
https://datatracker.ietf.org/doc/html/rfc7518#section-4.1

Could you add the following "alg" field to your "enc" key?

"alg":"RSA-OAEP"

2. client app setting for ID token encryption


Could you login to keycloak's admin console and make sure the following setting?

Clients
->[your client app]
->Fine Grain OpenID Connect Configuration
->ID Token Encryption Key Management Algorithm
RSA-OAEP

Also note that it might be better to use unique "kid" for each key even if its "use" is different.

Regards,
Takashi Norimatsu
Hitachi, Ltd.


I've a client registered on keycloak that uses JWKS URK as key (https://secure-web.cisco.com/1n0mLBfpU45H5tUy07Gv_-kmbS-XZS616ufbv8JQKv-wFZcxT8VJ7tMyxn2OIYpap5_RJJp25AUV9CkSLsPVJCf1pi7LV-9qJOKtVb-tcqOxCfaUKo4sFQBJtl7d_Ju7y9ZogFuSvT84tCnl-rsmX3r2-FMvfbefv7LStW_ARXlDdxQmc00Q6UiWuRnvQuF6eNnhhUJAVRrXdPl3Mv4B63vOAn9WVjaJYErXzSB0rTs9qAIj7kgT6tahddpgqrIr3KxcFhzxGSK_NJxOD89fNhQ7Sz_ighifUtNc9Vgr5aRU1g99DMgsvhQ6HgsNy5UP7N-6Z3AyQ01u_rRNHcc831w/https%3A%2F%2Fkeystore.sandbox.directory.openbankingbrasil.org.br%2F8292c33e-d95a-5fe7-8f27-dd7a95c68b55%2F9b944914-5ca5-431a-b30f-8e2f5d9c46aa%2Fapplication.jwks).

It's working correctly when doing authentication through my authorization endpoint (/auth). I send a encrypted request object to my authorization endpoint and it can decrypt and validate without problems and returns the code and id_token.

There's a new requirement to return an encrypted id_token instead of just base64 format, so I've set the options below on keycloak client at Fine Grain OpenID Connect Configuration section:

ID Token Signature Algorithm=PS256
ID Token Encryption Key Management Algorithm=RSA-OAEP
ID Token Encryption Content Encryption Algorithm=A256GCM
After set these properties, when trying to authenticate I'm receving the message "Unexpected error when handling authentication request to identity provider" and in the keycloak logs I can see the error "KC-SERVICES0013: Failed authentication: java.lang.RuntimeException: can not get encryption KEK"

I really don't know what's missing on my configuration or maybe on my JWKS file.
 
Regards!
 
Jesse J Pitkänen
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://secure-web.cisco.com/1gcwy14ESIiYLGOjNZghpWLaIclJr0zLgUx5MsDNEZ2YZQbpt_jcztqXndyRUa-Hqcb6HcRhl2nV8wFZud3O47f0IgtdZKqyysvMRCOHOM2L_V1KPYRWIA_u3RZMGJMCHgU4uc1s5a-oJXnNG0gVYfhS5CVDF4n22Kp6AuoLBqfxz8UBdcaAiAcA0vB7DXWnToGCfTQFH5wzGTLm_VcTBtDkCkY0rrS5zdDykWvSNJPYyPY8QpIiv5Rn4WZy0trwEpsUzMLXnHLRZC0vpBjjJzM3vRhVzgB-cIgBg5Vx7oIavGuNlNyv6ENTDbECJL1Qg6nVvtRFfpbBMFX8ChWbvxA/https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2FCAOZXnhStgxrK31_7zagYO31Mu1wAc2B5QuQHq81%253DkJVCNpEKUA%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter.
--
You received this message because you are subscribed to the Google Groups "Keycloak Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mailto:keycloak-dev...@googlegroups.com.
To view this discussion on the web visit https://secure-web.cisco.com/1XJNEfBewKk5Ck4Hlw1NKKe81OIrDRdpSlja67227UYJlArk5H-6_XXR8qQ6a5AlOzk2VAXCdDEpP943QQYjjuudrnTScXDfZ5XaMpRRyl51gCosYUMQ2AEHVV1bnGy-bldey1ygmktw2znW2PyCbWbiXH2uNIsVaXR54d9yiL4eHPbLsx04FaJs18ryWwt7D3iZerZ6aTJsrhb-BhafkTUvkGWsXT35E8g23gpd_hVXCj1_fM4EtU4S76OQOtBWo7GGTwc4GSf-pJuKTNdvBHEEYneRAPzO31l64jYK-yBJ-aDhqOGyk5Wi3-XxJbzkCHCdU6-pWbCcPA_hjKax-fw/https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fkeycloak-dev%2F712a8042-895d-44ef-ab85-9ef05b8387aan%2540googlegroups.com%3Futm_medium%3Demail%26utm_source%3Dfooter.

Ranieri Mazili de Oliveira

unread,
Oct 13, 2021, 10:16:26 AMOct 13
to Keycloak Dev
Thanks  Takashi, it's working now... I had to add the alg attribute on jwks file.
Thanks again for your support.

Reply all
Reply to author
Forward
0 new messages