highbyte
commented
5 years ago Thanks for the merge @mattmorg55. Do you want me to build and publish the nuget package to nuget.org like last time?
Closed highbyte closed 5 years ago
highbyte
commented
5 years ago Thanks for the merge @mattmorg55. Do you want me to build and publish the nuget package to nuget.org like last time?
mattmorg55
commented
5 years ago @highbyte yes, please publish the new package.
In Keycloak server v4.5 the encryption algorithm for Refresh tokens was changed from RS256 to HS256. Ref: https://issues.jboss.org/browse/KEYCLOAK-4622
This affects the library when ASP.NET MVC applications are used (but not for WebApi). It made the requests to fail with error "IDX10501: Signature validation failed. Unable to match 'kid': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' .. "
The cause for the error is that the library tries do validate the encrypted signature of the Refresh tokens as if they would be encrypted with RS256 (Keycloak public key), when it is now encrypted with HS256 (secret). The Access token is still validated OK as it still uses RS256.
This fix introduces a configuration option "DisableRefreshTokenSignatureValidation" that can be set to true to disable the signature validation of Refresh tokens. The contents of the Refresh token should not be used/trusted by the application, only sent back to the Keycloak server when required (and the server validates the Refresh token).
By setting option DisableRefreshTokenSignatureValidation to true, this library will still work with Keycloak server 4.5.
Note: The other commit username is my own, forgot to change it to my GitHub user before omitting.