[keycloak-user] JWS Client Assertion On Client Authentication

Marek Posolda mposolda at redhat.com
Mon Nov 6 04:09:34 EST 2017

Yes, we don't yet have support for this. AFAIK nobody yet requested it 
and it wasn't strictly required for the OpenID Connect Certification as 
well (Note that Keycloak is OpenID Connect certified).

Feel free to create JIRA if it doesn't already exists. Ideally if you 
want to contribute this including tests, documentation and support on 
both the server and adapters side, it will be nice.


On 02/11/17 04:47, 乗松隆志 / NORIMATSU,TAKASHI wrote:
> Hello.
> I'm interested in Client Authentication in JWS Client Assertion.
> It seems that keycloak only support this using private key signing of which "private_key_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
> I've expected that keycloak has also supported "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
> In org.keycloak.protocol.oidc.OIDCLoginProtocol
>      // Client authentication methods
>      public static final String CLIENT_SECRET_BASIC = "client_secret_basic";
>      public static final String CLIENT_SECRET_POST = "client_secret_post";
>      public static final String CLIENT_SECRET_JWT = "client_secret_jwt";
>      public static final String PRIVATE_KEY_JWT = "private_key_jwt";
> PRIVATE_KEY_JWT is referred from org.keycloak.authentication.authenticators.client.JWTClientAuthenticator::getProtocolAuthenticatorMethods().
> Only PRIVATE_KEY_JWT are added for authentication method, while CLIENT_SECRET_JWT is referred from no classes.
> Does somebody know why keycloak does not support "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication ?
> (ex. security concerns, etc ...)
> And, does someone know whether there is any plan to implement this "client_secret_jwt" method for Client Authentication in JWS Client Assertion?
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list