diff --git a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
index 7c3335e..6c57274 100755
--- a/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
+++ b/broker/oidc/src/main/java/org/keycloak/broker/oidc/OIDCIdentityProviderFactory.java
@@ -21,6 +21,7 @@ import org.keycloak.broker.oidc.util.SimpleHttp;
import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jwk.JWKParser;
+import org.keycloak.jose.jws.Algorithm;
import org.keycloak.models.IdentityProviderModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.representations.JSONWebKeySet;
@@ -80,7 +81,7 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
JSONWebKeySet keySet = JsonSerialization.readValue(keySetString, JSONWebKeySet.class);
for (JWK jwk : keySet.getKeys()) {
JWKParser parse = JWKParser.create(jwk);
- if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE)) {
+ if (parse.getJwk().getPublicKeyUse().equals(JWK.SIG_USE) && keyTypeSupported(jwk.getKeyType())) {
PublicKey key = parse.toPublicKey();
config.setPublicKeySignatureVerifier(KeycloakModelUtils.getPemFromKey(key));
config.setValidateSignature(true);
@@ -95,4 +96,8 @@ public class OIDCIdentityProviderFactory extends AbstractIdentityProviderFactory
}
return config.getConfig();
}
+
+ protected static boolean keyTypeSupported(String type) {
+ return type != null && type.equals("RSA");
+ }
}
diff --git a/broker/oidc/src/test/java/org/keycloak/broker/oidc/OIDCIdentityProviderTest.java b/broker/oidc/src/test/java/org/keycloak/broker/oidc/OIDCIdentityProviderTest.java
new file mode 100755
index 0000000..5de115e
--- /dev/null
+++ b/broker/oidc/src/test/java/org/keycloak/broker/oidc/OIDCIdentityProviderTest.java
@@ -0,0 +1,26 @@
+package org.keycloak.broker.oidc;
+
+import org.junit.Test;
+
+/**
+ * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
+ * @version $Revision: 1 $
+ */
+public class OIDCIdentityProviderTest {
+
+ @Test
+ public void testUnsupportedKeyInput() throws Exception {
+ String json = "{" +
+ "\"version\":\"3.0\"," +
+ "\"issuer\":\"https://server.com:443\"," +
+ "\"authorization_endpoint\":\"https://server.com:443/oauth2\"," +
+ "\"token_endpoint\":\"https://server.com:443/token\"," +
+ "\"revocation_endpoint\":\"https://server.com:443/revoke\"," +
+ "\"userinfo_endpoint\":\"https://server.com:443/userinfo\"," +
+ "\"jwks_uri\":\"https://server.com:443/JWKS\"," +
+ "\"scopes_supported\"[\"phone\",\"address\",\"email\",\"openid\",\"profile\"]," +
+ "\"response_types_supported\":[\"code\",\"token\",\"id_token\",\"code token\",\"code id_token\",\"token id_token\",\"code token id_token\"]," +
+ "\"subject_types_supported\":[\"public\"]," +
+ "\"id_token_signing_alg_values_supported\":[\"HS256\",\"HS384\",\"HS512\",\"RS256\",\"RS384\",\"RS512\",\"ES256\",\"ES84\",\"ES512\"]} ";
+ }
+}
