Allow to create certificates for provider-keys #31842
Description
Description
We would like to have certificates directly created by keycloak if we create a new EC-Key providers.
To make this possible I would like to add a new configuration property to the EC Key-Providers that allow to create a certificate if wanted. So it is an optional feature:
Metadata endpoint
If activated Keycloak shall create a certificate for the specific key if a new Key of this type is created
Discussion
No response
Motivation
We have a complicated workflow that generates an ephemeral key in the process that is eventually used to generate a shared secret K which we then use to create an HMAC for a returned credential.
In order for the Relying Party to verify that the credential was issued by keycloak a certificate chain is required in the JWS header. The certificate chain does contain a certificate of the ephemeral key that was also created temporarily but that is signed by the provider-keys certificate. Like this the Relying Party is able to lookup the validity of the HMAC by verifying the two certificates of the certificate-chain.
The base of this workflow is the repudiation of a users data. The Relying party is able to verify that the data comes from the Keycloak because the Relying Party knows it did not add the HMAC to the credential. But if the data is exposed to a third-party the third party will not be able to verify if the Reyling Party did mess with the data because it cannot verify if the HMAC was generated by the Relying Party or by the PID Provider.