From 678d80cbc88b7154b90060b03d7e257c56b82ac9 Mon Sep 17 00:00:00 2001 From: Takashi Norimatsu Date: Wed, 15 Jan 2020 09:38:58 +0900 Subject: [PATCH] KEYCLOAK-12615 HS384 and HS512 support for Client Authentication by Client Secret Signed JWT --- securing_apps/topics/oidc/java/client-authentication.adoc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/securing_apps/topics/oidc/java/client-authentication.adoc b/securing_apps/topics/oidc/java/client-authentication.adoc index 9c09d594e4..a378ae87b5 100644 --- a/securing_apps/topics/oidc/java/client-authentication.adoc +++ b/securing_apps/topics/oidc/java/client-authentication.adoc @@ -66,11 +66,16 @@ The client has a secret, which needs to be known to both the adapter (applicatio ---- "credentials": { "secret-jwt": { - "secret": "19666a4f-32dd-4049-b082-684c74115f28" + "secret": "19666a4f-32dd-4049-b082-684c74115f28", + "algorithm": "HS512" } } ---- +The "algorithm" field specifies the algorithm for Signed JWT using Client Secret. It needs to be one of the following values : HS256, HS384, and HS512. For details, please refer to https://tools.ietf.org/html/rfc7518#section-3.2[JSON Web Algorithms (JWA)]. + +This "algorithm" field is optional so that HS256 is applied automatically if the "algorithm" field does not exist on the `keycloak.json` file. + ===== Add Your Own Client Authentication Method You can add your own client authentication method as well. You will need to implement both client-side and server-side providers. For more details see the `Authentication SPI` section in link:{developerguide_link}[{developerguide_name}].