如何将Keycloak配置为使用HMAC算法(而不是RSA)作为默认值? [英] How can I configure Keycloak to use HMAC algorithm as default instead of RSA?

问题描述

我已经在Keycloak和管理"选项卡的密钥->活动"中创建了一个新领域，我可以看到三个条目:RSA，HMAC，AES.

I have created a new realm in Keycloak and in the admin tab Keys -> Active I can see three entries: RSA, HMAC, AES.

无论何时生成JWT令牌，使用的签名算法都是RSA.我该如何使用HMAC?

Whenever a JWT token is generated the signature algorithm used is RSA. How can I use HMAC instead?

推荐答案

我遇到了同样的问题，并找到了以下答案:

I had the same question and found the following answers:

最新文档说，访问令牌仅支持rsa.( http://www.keycloak.org/docs/3.3/server_admin/topics/realms/keys.html )

The latest documentation says that only rsa is supported for access tokens. (http://www.keycloak.org/docs/3.3/server_admin/topics/realms/keys.html)

有计划用hmac签名刷新令牌.查看此用户邮件列表条目以了解更多详细信息:无论如何，由HMAC签署accessTokens和idTokens还是不好的应用程序将需要有权访问领域签名密钥.照原样对称的东西.这可能是安全漏洞，因为应用程序可以自行生成和签名令牌.因此，我们宁愿依靠非对称加密-Keycloak用私钥和应用程序仅具有用于验证签名的公共密钥." http://lists.jboss.org/pipermail/keycloak-user/2017-May/010809.html

There is the plan to sign refresh tokens with hmac. Look at this user mailing list entry for more details: "It is not great to sign accessTokens and idTokens by HMAC anyway since the applications will need to have access to realm signing key. As it is symmetric stuff. This can be security hole as then the application can generate and sign tokens by itself. Hence we rather rely on the asymetric cryptography - Keycloak signs tokens with private key and application has just public key to verify signatures." http://lists.jboss.org/pipermail/keycloak-user/2017-May/010809.html

这是它的JIRA: https://issues.jboss.org/browse/KEYCLOAK-4623 以及内部 https://issues.jboss.org/browse/KEYCLOAK-4622

Here is the JIRA for it: https://issues.jboss.org/browse/KEYCLOAK-4623 and internally https://issues.jboss.org/browse/KEYCLOAK-4622

这篇关于如何将Keycloak配置为使用HMAC算法(而不是RSA)作为默认值?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！