keycloak-scim/server_admin/topics/authentication/clients/oidc/con-confidential-client-credentials.adoc

80 lines
3.5 KiB
Text
Raw Normal View History

2020-10-12 20:26:27 +00:00
[id="con-confidential-client-credentials_{context}"]
[[_client-credentials]]
= Confidential Client Credentials
[role="_abstract"]
2020-11-11 16:00:15 +00:00
If the <<_access-type, access type>> of the client is set to *confidential*, the credentials of the client must be configured under the *Credentials* tab.
2020-10-12 20:26:27 +00:00
.Credentials Tab
image:{project_images}/client-credentials.png[Credentials Tab]
2021-04-20 15:41:02 +00:00
The *Client Authenticator* drop-down list specifies the type of credential to use for your client.
2020-10-12 20:26:27 +00:00
*Client ID and Secret*
2020-11-13 14:09:23 +00:00
This choice is the default setting. The secret is automatically generated for you and the clicking *Regenerate Secret* recreates the secret if necessary.
2020-10-12 20:26:27 +00:00
.Signed JWT
image:{project_images}/client-credentials-jwt.png[]
2020-11-11 16:00:15 +00:00
*Signed JWT* is "Signed Json Web Token".
2020-10-12 20:26:27 +00:00
2021-04-20 15:41:02 +00:00
When choosing this credential type you will have to also generate a private key and certificate for the client in the *Keys* tab. The private key will be used to sign the JWT, while the certificate is used by the server to verify the signature.
Click *Generate new keys and certificate* to start this process.
2020-10-12 20:26:27 +00:00
.Generate Keys
image:{project_images}/generate-client-keys.png[]
. Select the archive format you want to use.
. Enter a *key password*.
. Enter a *store password*.
2020-11-11 16:00:15 +00:00
. Click *Generate and Download*.
2020-10-12 20:26:27 +00:00
2020-11-13 14:09:23 +00:00
When you generate the keys, {project_name} will store the certificate and you download the private key and certificate for your client.
2020-10-12 20:26:27 +00:00
2020-11-13 14:09:23 +00:00
You can also generate keys using an external tool and then import the client's certificate by clicking *Import Certificate*.
2020-10-12 20:26:27 +00:00
.Import Certificate
image:{project_images}/import-client-cert.png[Import Certificate]
2020-10-12 20:26:27 +00:00
. Select the archive format of the certificate.
. Enter the store password.
2020-11-13 14:09:23 +00:00
. Select the certificate file by clicking *Import File*.
2020-11-11 16:00:15 +00:00
. Click *Import*.
2020-10-12 20:26:27 +00:00
2020-11-13 14:09:23 +00:00
Importing a certificate is unnecessary if you click *Use JWKS URL*. In this case, you can provide the URL where the public key is published in https://self-issued.info/docs/draft-ietf-jose-json-web-key.html[JWK] format. With this option, if the key is ever changed, {project_name} reimports the key.
2020-10-12 20:26:27 +00:00
If you are using a client secured by {project_name} adapter, you can configure the JWKS URL in this format, assuming that https://myhost.com/myapp is the root URL of your client application:
[source,bash,subs=+attributes]
----
https://myhost.com/myapp/k_jwks
----
See link:{developerguide_link}[{developerguide_name}] for more details.
2020-11-13 14:09:23 +00:00
WARNING: {project_name} caches public keys of OIDC clients. If the private key of your client is compromised, update your keys and clear the key cache. See <<_clear-cache, Clearing the cache>> section for more details.
2020-10-12 20:26:27 +00:00
*Signed JWT with Client Secret*
If you select this option, you can use a JWT signed by client secret instead of the private key.
The client secret will be used to sign the JWT by the client.
*X509 Certificate*
{project_name} will validate if the client uses proper X509 certificate during the TLS Handshake.
NOTE: This option requires mutual TLS in {project_name}. See <<_enable-mtls-wildfly, Enable mutual SSL in WildFly>>.
.X509 Certificate
image:{project_images}/x509-client-auth.png[]
The validator also checks the Subject DN field of the certificate with a configured regexp validation expression. For some
use cases, it is sufficient to accept all certificates. In that case, you can use `(.*?)(?:$)` expression.
Two ways exist for {project_name} to obtain the Client ID from the request:
* The `client_id` parameter in the query (described in Section 2.2 of the https://tools.ietf.org/html/rfc6749[OAuth 2.0 Specification]).
* Supply `client_id` as a form parameter.