[keycloak-user] JWS Client Assertion On Client Authentication
mposolda at redhat.com
Mon Nov 6 04:09:34 EST 2017
Yes, we don't yet have support for this. AFAIK nobody yet requested it
and it wasn't strictly required for the OpenID Connect Certification as
well (Note that Keycloak is OpenID Connect certified).
Feel free to create JIRA if it doesn't already exists. Ideally if you
want to contribute this including tests, documentation and support on
both the server and adapters side, it will be nice.
On 02/11/17 04:47, 乗松隆志 / NORIMATSU，TAKASHI wrote:
> I'm interested in Client Authentication in JWS Client Assertion.
> It seems that keycloak only support this using private key signing of which "private_key_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
> I've expected that keycloak has also supported "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
> In org.keycloak.protocol.oidc.OIDCLoginProtocol
> // Client authentication methods
> public static final String CLIENT_SECRET_BASIC = "client_secret_basic";
> public static final String CLIENT_SECRET_POST = "client_secret_post";
> public static final String CLIENT_SECRET_JWT = "client_secret_jwt";
> public static final String PRIVATE_KEY_JWT = "private_key_jwt";
> PRIVATE_KEY_JWT is referred from org.keycloak.authentication.authenticators.client.JWTClientAuthenticator::getProtocolAuthenticatorMethods().
> Only PRIVATE_KEY_JWT are added for authentication method, while CLIENT_SECRET_JWT is referred from no classes.
> Does somebody know why keycloak does not support "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication ?
> (ex. security concerns, etc ...)
> And, does someone know whether there is any plan to implement this "client_secret_jwt" method for Client Authentication in JWS Client Assertion?
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
More information about the keycloak-user