keycloak-scim/topics/clients/oidc/confidential.adoc

[[_client-credentials]]

==== Confidential Client Credentials

If you've set the client's <<fake/../../../clients/client-oidc.adoc#_access-type, access type>> to `confidential` in the client's
`Settings` tab, a new `Credentials` tab will show up. As part of dealing with this
type of client you have to configure the client's credentials.

.Credentials Tab
image:../../../{{book.images}}/client-credentials.png[]

The `Client Authenticator` list box specifies the type of credential you are going to use for your confidential client.
It defaults to client ID and secret.  The secret is automatically generated for you and the `Regenerate Secret`
button allows you to recreate this secret if you want or need to.

Alternatively, you can opt to use a signed Json Web Token (JWT) instead of a secret.

.Signed JWT
image:../../../{{book.images}}/client-credentials-jwt.png[]

When choosing this credential type you will have to also generate a private key and certificate for the client.  The private key
will be used to sign the JWT, while the certificate is used by the server to verify the signature.  Click on the
`Generate new keys and certificate` button to start this process.

.Generate Keys
image:../../../{{book.images}}/generate-client-keys.png[]

When you generate these keys, {{book.project.name}} will store the certificate, and you'll need to download the private key
and certificate for your client to use.  Pick the archive format you want and specify the password for the private key
and store.

You can also opt to
generate these via an external tool and just import the client's certificate.

.Import Certificate
image:../../../{{book.images}}/import-client-cert.png[]

There are multiple formats you can import from, just choose the archive format you have the certificate stored in,
select the file, and click the `Import` button.

Finally note that you don't even need to import certificate if you choose to `Use JWKS URL` . In that case, you can provide the URL where
client publishes it's public key in https://self-issued.info/docs/draft-ietf-jose-json-web-key.html[JWK] format. This is flexible because when
client changes it's keys, {{book.project.name}} will automatically download them without need to re-import anything on {{book.project.name}} side.

If you use client secured by {{book.project.name}} adapter, you can configure the JWKS URL like https://myhost.com/myapp/k_jwks assuming that https://myhost.com/myapp is the
root URL of your client application. See {{book.developerguide.link}}[{{book.developerguide.name}}] for additional details.
more clients 2016-05-20 20:52:41 +00:00			`[[_client-credentials]]`

			`==== Confidential Client Credentials`

fixing cross-references, adding and changing attribute id's 2016-06-01 08:49:54 +00:00			If you've set the client's <<fake/../../../clients/client-oidc.adoc#_access-type, access type>> to `confidential` in the client's
more clients 2016-05-20 20:52:41 +00:00			`Settings` tab, a new `Credentials` tab will show up. As part of dealing with this
			`type of client you have to configure the client's credentials.`

			`.Credentials Tab`
			`image:../../../{{book.images}}/client-credentials.png[]`

Minor changes for Clients chapter. 2016-06-03 13:12:04 +00:00			The `Client Authenticator` list box specifies the type of credential you are going to use for your confidential client.
more clients 2016-05-20 20:52:41 +00:00			It defaults to client ID and secret. The secret is automatically generated for you and the `Regenerate Secret`
			`button allows you to recreate this secret if you want or need to.`

			`Alternatively, you can opt to use a signed Json Web Token (JWT) instead of a secret.`

			`.Signed JWT`
			`image:../../../{{book.images}}/client-credentials-jwt.png[]`

			`When choosing this credential type you will have to also generate a private key and certificate for the client. The private key`
			`will be used to sign the JWT, while the certificate is used by the server to verify the signature. Click on the`
			`Generate new keys and certificate` button to start this process.

			`.Generate Keys`
			`image:../../../{{book.images}}/generate-client-keys.png[]`

			`When you generate these keys, {{book.project.name}} will store the certificate, and you'll need to download the private key`
			`and certificate for your client to use. Pick the archive format you want and specify the password for the private key`
			`and store.`

			`You can also opt to`
			`generate these via an external tool and just import the client's certificate.`

			`.Import Certificate`
			`image:../../../{{book.images}}/import-client-cert.png[]`

Minor changes for Clients chapter. 2016-06-03 13:12:04 +00:00			`There are multiple formats you can import from, just choose the archive format you have the certificate stored in,`
more clients 2016-05-20 20:52:41 +00:00			select the file, and click the `Import` button.

KEYCLOAK-3564 Docs for key rotation on OIDC clients and identity providers 2016-10-04 17:07:07 +00:00			Finally note that you don't even need to import certificate if you choose to `Use JWKS URL` . In that case, you can provide the URL where
			`client publishes it's public key in https://self-issued.info/docs/draft-ietf-jose-json-web-key.html[JWK] format. This is flexible because when`
			`client changes it's keys, {{book.project.name}} will automatically download them without need to re-import anything on {{book.project.name}} side.`

			`If you use client secured by {{book.project.name}} adapter, you can configure the JWKS URL like https://myhost.com/myapp/k_jwks assuming that https://myhost.com/myapp is the`
			`root URL of your client application. See {{book.developerguide.link}}[{{book.developerguide.name}}] for additional details.`

more clients 2016-05-20 20:52:41 +00:00