libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases 1 Packages Activity Actions

KEYCLOAK-5811 OIDC Client Authentication by JWS Client Assertion in client_secret_jwt

Browse source
This commit is contained in:
Takashi Norimatsu 2018-01-24 13:25:46 +09:00 committed by Marek Posolda
parent bc4d894fcd
commit 8afdbde315
2 changed files with 20 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
securing_apps/topics/oidc/java/client-authentication.adoc
View file

@ -1,7 +1,7 @@
[[_client_authentication_adapter]] [[_client_authentication_adapter]]
==== Client Authentication ==== Client Authentication
When a confidential OIDC client needs to send a backchannel request (for example, to exchange code for the token, or to refresh the token) it needs to authenticate against the {project_name} server. By default, there are two ways to authenticate the client: client ID and client secret, or client authentication with signed JWT. When a confidential OIDC client needs to send a backchannel request (for example, to exchange code for the token, or to refresh the token) it needs to authenticate against the {project_name} server. By default, there are three ways to authenticate the client: client ID and client secret, client authentication with signed JWT, or client authentication with signed JWT using client secret.
===== Client ID and Client Secret ===== Client ID and Client Secret
@ -56,6 +56,20 @@ you can point to any file on the file system where the client application is run
ifeval::[{project_community}==true] ifeval::[{project_community}==true]
For inspiration, you can take a look at the examples distribution into the main demo example into the `product-portal` application. For inspiration, you can take a look at the examples distribution into the main demo example into the `product-portal` application.
===== Client Authentication with Signed JWT using Client Secret
This is the same as Client Authentication with Signed JWT except for using the client secret instead of the private key and certificate.
The client has a secret, which needs to be known to both the adapter (application) and the {project_name} server. You need to choose `Signed JWT with Client Secret` as the method of authenticating your client in the tab `Credentials` in administration console, and then paste this secret into the `keycloak.json` file on the application side:
[source]
----
"credentials": {
"secret-jwt": {
"secret": "19666a4f-32dd-4049-b082-684c74115f28"
}
}
----
===== Add Your Own Client Authentication Method ===== Add Your Own Client Authentication Method

5
server_admin/topics/clients/oidc/confidential.adoc
View file

@ -49,3 +49,8 @@ WARNING: For the performance purposes, {project_name} caches the public keys of
was compromised, it is obviously good to update your keys, but it's also good to clear the keys cache. See <<_clear-cache, Clearing the cache>> was compromised, it is obviously good to update your keys, but it's also good to clear the keys cache. See <<_clear-cache, Clearing the cache>>
section for more details. section for more details.
.Signed JWT with Client Secret
If you select this option in the `Client Authenticator` list box, you can use a JWT signed by client secret instead of the private key.
This client secret will be used to sign the JWT by the client.