7:28 p.m.
Posolda-san, thanks a lot for your reply.
I've created its JIRA issue.
https://issues.jboss.org/browse/KEYCLOAK-5811
Compared with private_key_jwt in Client Authentication
(http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication),
client_secret_jwt might be a moderate choice for Client App that feels managing its
certificate difficult.
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
-----Original Message-----
From: Marek Posolda [mailto:mposolda@redhat.com]
Sent: Monday, November 06, 2017 6:10 PM
To: 乗松隆志 / NORIMATSU,TAKASHI; 'keycloak-user(a)lists.jboss.org'
Subject: [!]Re: [keycloak-user] JWS Client Assertion On Client Authentication
Yes, we don't yet have support for this. AFAIK nobody yet requested it and it
wasn't strictly required for the OpenID Connect Certification as well (Note that
Keycloak is OpenID Connect certified).
Feel free to create JIRA if it doesn't already exists. Ideally if you want to
contribute this including tests, documentation and support on both the server and adapters
side, it will be nice.
Thanks,
Marek
On 02/11/17 04:47, 乗松隆志 / NORIMATSU,TAKASHI wrote:
Hello.
I'm interested in Client Authentication in JWS Client Assertion.
It seems that keycloak only support this using private key signing of which
"private_key_jwt" method in
http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
I've expected that keycloak has also supported "client_secret_jwt" method
in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication .
In org.keycloak.protocol.oidc.OIDCLoginProtocol
// Client authentication methods
public static final String CLIENT_SECRET_BASIC = "client_secret_basic";
public static final String CLIENT_SECRET_POST = "client_secret_post";
public static final String CLIENT_SECRET_JWT = "client_secret_jwt";
public static final String PRIVATE_KEY_JWT = "private_key_jwt";
PRIVATE_KEY_JWT is referred from
org.keycloak.authentication.authenticators.client.JWTClientAuthenticator::getProtocolAuthenticatorMethods().
Only PRIVATE_KEY_JWT are added for authentication method, while CLIENT_SECRET_JWT is
referred from no classes.
Does somebody know why keycloak does not support "client_secret_jwt" method in
http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication ?
(ex. security concerns, etc ...)
And, does someone know whether there is any plan to implement this
"client_secret_jwt" method for Client Authentication in JWS Client Assertion?
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user