As an Identity Broker, can Keycloak be configured to receive encrypted ID Tokens?

I am using Keycloak 10.0.1. I am trying to setup Identity Brokering between an OIDC Provider and another application. I was able to achieve successful user login when the ID Tokens were not encrypted.

I am trying to configure Keycloak to be able to accept encrypted ID Token. But when setting up an OIDC identity provider in Keycloak in “Identity Providers”, there was no option to explicitly indicate that the ID Tokens would be encrypted, nor was there any option to indicate what key to use for decryption.

I have tried adding a self generated RSA key to “Realm Settings > Keys”, and did configuration at the OIDC Provider end to use the public key for encryption. In the JWE representation of the encrypted ID Token, the JOSE header contains “RSA-OAEP-256” in the “alg”, and “A256CBC-HS512” in the “enc”. However, now with encryption enabled, I get the following exception when I try to login from the OIDC Provider:

ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-94) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: Invalid token

I have tested separately to confirm that the encrypted ID token has been generated properly. The OIDC provider that I have been using is this: https://github.com/panva/node-oidc-provider

Is there anything which I may have misconfigured?

1 Like

Did you ever figure this out? I have a similar situation with an external identity provider that wants to sign responses.

I had to make some changes to the Keycloak code base as it does not handle JWE out of the box.

Your scenario sounds quite different from mine. Are you referring to the signing of JWT? There is a configuration you can set for it. What you need is the public key that the OP uses for signing, in X509 format.

Hi @edmund
I have a similar case with you.May I know the steps you use to implement this in your Keycloak ?

I confused on how I should publish the encryption JWK because keycloak currently not support it. And how I can use the private key to encrypt the incoming ID Token.