diff --git a/securing_apps/topics/oidc/java/client-authentication.adoc b/securing_apps/topics/oidc/java/client-authentication.adoc index a378ae87b5..520dbd94ec 100644 --- a/securing_apps/topics/oidc/java/client-authentication.adoc +++ b/securing_apps/topics/oidc/java/client-authentication.adoc @@ -28,7 +28,7 @@ This is based on the https://tools.ietf.org/html/rfc7523[RFC7523] specification. the particular backchannel request (for example, code-to-token request) in the `client_assertion` parameter. * {project_name} must have the public key or certificate of the client so that it can verify the signature on JWT. In {project_name} you need to configure client credentials for your client. First you need to choose `Signed JWT` as the method of authenticating your client in the tab `Credentials` in administration console. -Then you can choose to either: +Then you can choose to either in the tab `Keys`: ** Configure the JWKS URL where {project_name} can download the client's public keys. This can be a URL such as \http://myhost.com/myapp/k_jwks (see details above). This option is the most flexible, since the client can rotate its keys anytime and {project_name} then always downloads new keys when needed without needing to change the configuration. More accurately, {project_name} downloads new keys when it sees the token signed by an unknown `kid` (Key ID). ** Upload the client's public key or certificate, either in PEM format, in JWK format, or from the keystore. With this option, the public key is hardcoded and must be changed when the client generates a new key pair. You can even generate your own keystore from the {project_name} admininstration console if you don't have your own available. diff --git a/server_admin/keycloak-images/client-credentials-jwt.png b/server_admin/keycloak-images/client-credentials-jwt.png index ac89b25518..8b6f129aaf 100644 Binary files a/server_admin/keycloak-images/client-credentials-jwt.png and b/server_admin/keycloak-images/client-credentials-jwt.png differ diff --git a/server_admin/keycloak-images/client-credentials.png b/server_admin/keycloak-images/client-credentials.png index 745261bea9..8932001bf5 100644 Binary files a/server_admin/keycloak-images/client-credentials.png and b/server_admin/keycloak-images/client-credentials.png differ diff --git a/server_admin/keycloak-images/client-installation.png b/server_admin/keycloak-images/client-installation.png index 720a5375ae..2b84d047df 100644 Binary files a/server_admin/keycloak-images/client-installation.png and b/server_admin/keycloak-images/client-installation.png differ diff --git a/server_admin/keycloak-images/client-oidc-keys.png b/server_admin/keycloak-images/client-oidc-keys.png new file mode 100644 index 0000000000..b94e9fca88 Binary files /dev/null and b/server_admin/keycloak-images/client-oidc-keys.png differ diff --git a/server_admin/keycloak-images/client-scope.png b/server_admin/keycloak-images/client-scope.png index 281c2c7413..4f0d8aa3c1 100644 Binary files a/server_admin/keycloak-images/client-scope.png and b/server_admin/keycloak-images/client-scope.png differ diff --git a/server_admin/keycloak-images/client-settings-oidc.png b/server_admin/keycloak-images/client-settings-oidc.png index b300dde137..9bfe4f825a 100644 Binary files a/server_admin/keycloak-images/client-settings-oidc.png and b/server_admin/keycloak-images/client-settings-oidc.png differ diff --git a/server_admin/keycloak-images/client-settings-saml.png b/server_admin/keycloak-images/client-settings-saml.png index b4c85cb80e..16e1f9d533 100644 Binary files a/server_admin/keycloak-images/client-settings-saml.png and b/server_admin/keycloak-images/client-settings-saml.png differ diff --git a/server_admin/keycloak-images/fine-grain-client-permissions-tab-off.png b/server_admin/keycloak-images/fine-grain-client-permissions-tab-off.png index d16293f9ae..880c4ae9be 100644 Binary files a/server_admin/keycloak-images/fine-grain-client-permissions-tab-off.png and b/server_admin/keycloak-images/fine-grain-client-permissions-tab-off.png differ diff --git a/server_admin/keycloak-images/fine-grain-client-permissions-tab-on.png b/server_admin/keycloak-images/fine-grain-client-permissions-tab-on.png index 2ca7124a42..9e95b7c05e 100644 Binary files a/server_admin/keycloak-images/fine-grain-client-permissions-tab-on.png and b/server_admin/keycloak-images/fine-grain-client-permissions-tab-on.png differ diff --git a/server_admin/keycloak-images/fine-grain-client.png b/server_admin/keycloak-images/fine-grain-client.png index 9296a3e212..8de82f5e77 100644 Binary files a/server_admin/keycloak-images/fine-grain-client.png and b/server_admin/keycloak-images/fine-grain-client.png differ diff --git a/server_admin/keycloak-images/fine-grain-sales-application-roles.png b/server_admin/keycloak-images/fine-grain-sales-application-roles.png index dc14aaeeb8..db69694334 100644 Binary files a/server_admin/keycloak-images/fine-grain-sales-application-roles.png and b/server_admin/keycloak-images/fine-grain-sales-application-roles.png differ diff --git a/server_admin/keycloak-images/full-client-scope.png b/server_admin/keycloak-images/full-client-scope.png index 71b5904820..12eb0e5f35 100644 Binary files a/server_admin/keycloak-images/full-client-scope.png and b/server_admin/keycloak-images/full-client-scope.png differ diff --git a/server_admin/keycloak-images/generate-client-keys.png b/server_admin/keycloak-images/generate-client-keys.png index 19f108a25d..9d03a04b23 100644 Binary files a/server_admin/keycloak-images/generate-client-keys.png and b/server_admin/keycloak-images/generate-client-keys.png differ diff --git a/server_admin/keycloak-images/import-client-cert.png b/server_admin/keycloak-images/import-client-cert.png index 1e7ba7887f..9df242e2b3 100644 Binary files a/server_admin/keycloak-images/import-client-cert.png and b/server_admin/keycloak-images/import-client-cert.png differ diff --git a/server_admin/keycloak-images/mappers-oidc.png b/server_admin/keycloak-images/mappers-oidc.png index deaf997625..1212b36299 100644 Binary files a/server_admin/keycloak-images/mappers-oidc.png and b/server_admin/keycloak-images/mappers-oidc.png differ diff --git a/server_admin/keycloak-images/x509-client-auth.png b/server_admin/keycloak-images/x509-client-auth.png index 4b2eea8f7a..01cd01e702 100644 Binary files a/server_admin/keycloak-images/x509-client-auth.png and b/server_admin/keycloak-images/x509-client-auth.png differ diff --git a/server_admin/topics/clients/client-oidc.adoc b/server_admin/topics/clients/client-oidc.adoc index f88708f4fe..00de88b281 100644 --- a/server_admin/topics/clients/client-oidc.adoc +++ b/server_admin/topics/clients/client-oidc.adoc @@ -184,9 +184,8 @@ In Key Encryption, the client generates a key pair of asymmetric cryptography. T The client needs to pass their public key for encrypting CEK onto {project_name}. {project_name} supports downloading public keys from the URL the client provides. The client needs to provide their public keys according to https://tools.ietf.org/html/rfc7517[Json Web Keys (JWK)] specification. The way to do so is defined in `Signed JWT` of <<_client-credentials, Confidential Client Credentials>>. The detailed procedure is as follows: -* open the client's `Credentials` tab -* select `Signed Jwt` from `Client Authenticator` pulldown menu -* set ON to `JWKS URL` switch +* open the client's `Keys` tab +* toggle `JWKS URL` to ON * input the client's public key providing URL on `JWKS URL` textbox Key Encryption's algorithms are defined in the https://tools.ietf.org/html/rfc7518#section-4.1[Json Web Algorithm (JWA)] specification. {project_name} supports RSAES-PKCS1-v1_5(RSA1_5), RSAES OAEP using default parameters (RSA-OAEP), and RSAES OAEP 256 using SHA-256 and MFG1 (RSA-OAEP-256). The detailed procedure to select this algorithm is as follows: diff --git a/server_admin/topics/clients/client-saml.adoc b/server_admin/topics/clients/client-saml.adoc index 614318d73f..658405a2c2 100644 --- a/server_admin/topics/clients/client-saml.adoc +++ b/server_admin/topics/clients/client-saml.adoc @@ -98,7 +98,7 @@ Encrypt Assertions:: Client Signature Required:: Expect that documents coming from a client are signed. - {project_name} will validate this signature using the client public key or cert set up in the `SAML Keys` tab. + {project_name} will validate this signature using the client public key or cert set up in the `Keys` tab. Force POST Binding:: By default, {project_name} will respond using the initial SAML binding of the original request. diff --git a/server_admin/topics/clients/oidc/confidential.adoc b/server_admin/topics/clients/oidc/confidential.adoc index e7009f044e..d6e424775c 100644 --- a/server_admin/topics/clients/oidc/confidential.adoc +++ b/server_admin/topics/clients/oidc/confidential.adoc @@ -20,9 +20,13 @@ Alternatively, you can opt to use a signed Json Web Token (JWT) or x509 certific .Signed JWT image:{project_images}/client-credentials-jwt.png[] -When choosing this credential type you will have to also generate a private key and certificate for the client. The private key -will be used to sign the JWT, while the certificate is used by the server to verify the signature. Click on the -`Generate new keys and certificate` button to start this process. +When choosing this credential type you will have to also generate a private key and certificate for the client in the tab `Keys`. +The private key will be used to sign the JWT, while the certificate is used by the server to verify the signature. + +.Keys Tab +image:{project_images}/client-oidc-keys.png[] + +Click on the `Generate new keys and certificate` button to start this process. .Generate Keys image:{project_images}/generate-client-keys.png[]