[keycloak-user] JWS Client Assertion On Client Authentication

乗松隆志 / NORIMATSU,TAKASHI takashi.norimatsu.ws at hitachi.com
Wed Nov 8 20:28:02 EST 2017 

Posolda-san, thanks a lot for your reply.

I've created its JIRA issue.
https://issues.jboss.org/browse/KEYCLOAK-5811

Compared with private_key_jwt in Client Authentication (http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication),
client_secret_jwt might be a moderate choice for Client App that feels managing its certificate difficult.

Best Regards
Takashi Norimatsu
Hitachi, Ltd.

-----Original Message-----
From: Marek Posolda [mailto:mposolda at redhat.com] 
Sent: Monday, November 06, 2017 6:10 PM
To: 乗松隆志 / NORIMATSU,TAKASHI; 'keycloak-user at lists.jboss.org'
Subject: [!]Re: [keycloak-user] JWS Client Assertion On Client Authentication

Yes, we don't yet have support for this. AFAIK nobody yet requested it and it wasn't strictly required for the OpenID Connect Certification as well (Note that Keycloak is OpenID Connect certified).

Feel free to create JIRA if it doesn't already exists. Ideally if you want to contribute this including tests, documentation and support on both the server and adapters side, it will be nice.

Thanks,
Marek


On 02/11/17 04:47, 乗松隆志 / NORIMATSU,TAKASHI wrote:
> Hello.
>
> I'm interested in Client Authentication in JWS Client Assertion.
> It seems that keycloak only support this using private key signing of which "private_key_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
> I've expected that keycloak has also supported "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
>
> In org.keycloak.protocol.oidc.OIDCLoginProtocol
>
>      // Client authentication methods
>      public static final String CLIENT_SECRET_BASIC = "client_secret_basic";
>      public static final String CLIENT_SECRET_POST = "client_secret_post";
>      public static final String CLIENT_SECRET_JWT = "client_secret_jwt";
>      public static final String PRIVATE_KEY_JWT = "private_key_jwt";
>
> PRIVATE_KEY_JWT is referred from org.keycloak.authentication.authenticators.client.JWTClientAuthenticator::getProtocolAuthenticatorMethods().
> Only PRIVATE_KEY_JWT are added for authentication method, while CLIENT_SECRET_JWT is referred from no classes.
>
> Does somebody know why keycloak does not support "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication ?
> (ex. security concerns, etc ...)
>
> And, does someone know whether there is any plan to implement this "client_secret_jwt" method for Client Authentication in JWS Client Assertion?
>
> Best Regards
> Takashi Norimatsu
> Hitachi, Ltd.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

More information about the keycloak-user mailing list