[keycloak-user] Encryption of OIDC client secret
Thomas Darimont
thomas.darimont at googlemail.com
Wed Apr 5 17:37:50 EDT 2017
This sounds interesting, would you mind sharing the code? :)
Cheers,
Thomas
2017-04-05 21:12 GMT+02:00 Muein Muzamil <shmuein+keycloak-dev at gmail.com>:
> For the realm keys, we have written a custom key provider to encrypt the
> keys before storing them in the database. Basically, we generate some
> derived keys based on master key (which we share between multiple instances
> using docker volumes) and encrypt/decrypt realm keys using that.
>
> So even if KeyCloak doesn't support encryption of the secrets (and other
> sensitive information) out of the box, as long as it let us customize it,
> we should be Ok.
>
> Regards,
> Muein
>
> On Wed, Apr 5, 2017 at 9:11 AM, Bill Burke <bburke at redhat.com> wrote:
>
> > Not right now. We'll eventually be implementing a vault to encrypt
> > secrets and private keys. We were kinda hoping that admins would just
> > make sure that their DB is secure.
> >
> > Just as a general survey question, how would you expect it to work?
> >
> >
> > On 4/5/17 9:10 AM, Muein Muzamil wrote:
> > > Hi,
> > >
> > > I noticed KeyCloak stores OIDC client secret in plain text in Database.
> > Is
> > > there a way to extend Keycloak so that we can encrypt OIDC secret
> before
> > > storing it in DB?
> > >
> > > Thanks,
> > > Muein
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
More information about the keycloak-user
mailing list