keycloak-scim/server_admin/topics/clients/oidc/proc-secret-rotation.adoc
2022-07-26 11:50:24 -04:00

144 lines
4.3 KiB
Text

[id="proc-secret-rotation_{context}"]
[[_proc-secret-rotation]]
= Creating an OIDC Client Secret Rotation Policy
[role="_abstract"]
The following is an example of defining a secret rotation policy:
.Procedure
. Click *Realm Settings* in the menu.
. Click *Client Policies* tab.
ifeval::[{project_community}==true]
. On the *Profiles* page, click *Create client profile*.
endif::[]
ifeval::[{project_product}==true]
. On the *Profiles* page, click *Create*.
endif::[]
+
.Create a profile
image:{project_images}/create-oidc-client-profile.png[Create Client Profile]
. Enter any name for *Name*.
. Enter a description that helps you identify the purpose of the profile for *Description*.
. Click *Save*.
+
This action creates the profile and enables you to configure executors.
ifeval::[{project_community}==true]
. Click *Add executor* to configure an executor for this profile.
endif::[]
ifeval::[{project_product}==true]
. Click *Create* to configure an executor for this profile.
endif::[]
+
.Create a profile executors
image:{project_images}/create-oidc-client-secret-rotation-executor.png[Client Profile Executor]
. Select _secret-rotation_ for *Executor Type*.
. Enter the maximum duration time of each secret, in seconds, for *Secret Expiration*.
. Enter the maximum duration time of each rotated secret, in seconds, for *Rotated Secret Expiration*.
+
WARNING: Remember that the *Rotated Secret Expiration* value must always be less than *Secret Expiration*.
. Enter the amount of time, in seconds, after which any update action will update the client for *Remain Expiration Time*.
ifeval::[{project_community}==true]
. Click *Add*.
endif::[]
ifeval::[{project_product}==true]
. Click *Save*.
endif::[]
+
====
In the example above:
* Each secret is valid for one week.
* The rotated secret expires after two days.
* The window for updating dynamic clients starts one day before the secret expires.
====
+
. Return to the *Client Policies* tab.
. Click *Policies*.
ifeval::[{project_community}==true]
. Click *Create client policy*.
endif::[]
ifeval::[{project_product}==true]
. Click *Create*.
endif::[]
+
.Create the Client Secret Rotation Policy
image:{project_images}/create-oidc-client-secret-rotation-policy.png[Client Rotation Policy]
. Enter any name for *Name*.
. Enter a description that helps you identify the purpose of the policy for *Description*.
. Click *Save*.
+
This action creates the policy and enables you to associate policies with profiles. It also allows you to configure the conditions for policy execution.
+
ifeval::[{project_community}==true]
. Under Conditions, click *Add condition*.
endif::[]
ifeval::[{project_product}==true]
. Under Conditions, click *Create*.
endif::[]
+
.Create the Client Secret Rotation Policy Condition
image:{project_images}/create-oidc-client-secret-rotation-condition.png[Client Rotation Policy Condition]
. To apply the behavior to all confidential clients select _client-access-type_ in the *Condition Type* field
+
[NOTE]
====
To apply to a specific group of clients, another approach would be to select the _client-roles_ type in the *Condition Type* field. In this way, you could create specific roles and assign a custom rotation configuration to each role.
====
+
. Add _confidential_ to the field *Client Access Type*.
ifeval::[{project_community}==true]
. Click *Add*.
. Back in the policy setting, under _Client Profiles_, click *Add client profile* and then select *Weekly Client Secret Rotation Profile* from the list and then click *Add*.
endif::[]
ifeval::[{project_product}==true]
. Click *Save*.
. Back in the policy setting, under _Client Profiles_, in the *Add client profile* selection menu, select the profile *Weekly Client Secret Rotation Profile* created earlier.
endif::[]
.Client Secret Rotation Policy
image:{project_images}/oidc-client-secret-rotation-policy.png[Client Rotation Policy]
[NOTE]
====
To apply the secret rotation behavior to an existing client, follow the following steps:
.Using the Admin Console
. Click *Clients* in the menu.
. Click a client.
. Click the *Credentials* tab.
ifeval::[{project_community}==true]
. Click *Re-generate* of the client secret.
endif::[]
ifeval::[{project_product}==true]
. Click *_Re-generate secret_*.
endif::[]
====
---
.Using client REST services it can be executed in two ways:
* Through an update operation on a client
* Through the regenerate client secret endpoint