[keycloak-user] JWS Client Assertion On Client Authentication

乗松隆志 / NORIMATSU,TAKASHI takashi.norimatsu.ws at hitachi.com
Wed Nov 1 23:47:49 EDT 2017


I'm interested in Client Authentication in JWS Client Assertion.
It seems that keycloak only support this using private key signing of which "private_key_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
I've expected that keycloak has also supported "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .

In org.keycloak.protocol.oidc.OIDCLoginProtocol

    // Client authentication methods
    public static final String CLIENT_SECRET_BASIC = "client_secret_basic";
    public static final String CLIENT_SECRET_POST = "client_secret_post";
    public static final String CLIENT_SECRET_JWT = "client_secret_jwt";
    public static final String PRIVATE_KEY_JWT = "private_key_jwt";

PRIVATE_KEY_JWT is referred from org.keycloak.authentication.authenticators.client.JWTClientAuthenticator::getProtocolAuthenticatorMethods().
Only PRIVATE_KEY_JWT are added for authentication method, while CLIENT_SECRET_JWT is referred from no classes.

Does somebody know why keycloak does not support "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication ?
(ex. security concerns, etc ...)

And, does someone know whether there is any plan to implement this "client_secret_jwt" method for Client Authentication in JWS Client Assertion?

Best Regards
Takashi Norimatsu
Hitachi, Ltd.

More information about the keycloak-user mailing list