Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[keycloak - OID4VCI] Make signature-algorithm selectable #13

Open
Tracked by #7
francis-pouatcha opened this issue Oct 21, 2024 · 3 comments
Open
Tracked by #7

[keycloak - OID4VCI] Make signature-algorithm selectable #13

francis-pouatcha opened this issue Oct 21, 2024 · 3 comments
Assignees
@IngridPuppet

Comments

@francis-pouatcha
Copy link
Member

francis-pouatcha commented Oct 21, 2024
edited by IngridPuppet
Loading

This is a proxy of:
@francis-pouatcha francis-pouatcha mentioned this issue Oct 21, 2024
Open
12 tasks
@IngridPuppet IngridPuppet self-assigned this Nov 19, 2024
@adorsys adorsys deleted a comment from nitch2019 Nov 19, 2024
@IngridPuppet
Copy link
Collaborator

The description on the source ticket reads:

OpenID4VCI supports several signature algorithms. By default we should use the active key of keycloak to sign credentials, but we should also allow to override the key-usage in the ClientScopes configuration model by referencing another available key in Keycloak that is then used instead of the active key.

Let us break it down:

  1. OpenID4VCI supports several signature algorithms.
  2. By default we should use the active key of keycloak to sign credentials.
  3. But we should also allow to override the key-usage in the ClientScopes configuration model by referencing another available key in Keycloak.

OpenID4VCI makes indeed a case for a credential issuer to support several signature algorithms, which should be communicated by the credential_signing_alg_values_supported entry on the Credential Issuer Metadata endpoint.

On point 2, the current state of Keycloak's implementation already uses the active key "by default" for signing.

https://github.com/keycloak/keycloak/blob/aaade6caab70cc0f461e2062b7cb2d7817359226/services/src/main/java/org/keycloak/protocol/oid4vc/issuance/signing/SigningService.java#L61-L75

    /**
     * Returns the key stored under kid, or the active key for the given jws algorithm,
     *
     * @param kid
     * @param algorithm
     * @return
     */
    protected KeyWrapper getKey(String kid, String algorithm) {
        // Allow the service to work with the active key if keyId is null
        // And we still have to figure out how to proceed with key rotation
        if (keyId == null) {
            return keycloakSession.keys().getActiveKey(keycloakSession.getContext().getRealm(), KeyUse.SIG, algorithm);
        }
        return keycloakSession.keys().getKey(keycloakSession.getContext().getRealm(), kid, KeyUse.SIG, algorithm);
    }

That takes us to Point 3 about overriding this default key for signing.

  • Isn't that already covered by the signing services having the possibility to be configured with an alternative key ID?
  • How different is the current overriding mechanism from the "ClientScopes configuration model" suggested?
  • Is the mention of overriding the "key-usage" in the description meaning to consider keys not annotated with KeyUse.SIG?

CC: @francis-pouatcha

@IngridPuppet
Copy link
Collaborator

Sync conclusions:

@IngridPuppet
Copy link
Collaborator

This ticket is likely to be closed with the changes of #9.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@IngridPuppet IngridPuppet

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@francis-pouatcha @IngridPuppet @Ogenbertrand