Re: [keycloak-user] JWS Client Assertion On Client Authentication

Hello. I'm interested in Client Authentication in JWS Client Assertion. It seems that keycloak only support this using private key signing of which "private_key_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication . I've expected that keycloak has also supported "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication . In org.keycloak.protocol.oidc.OIDCLoginProtocol // Client authentication methods public static final String CLIENT_SECRET_BASIC = "client_secret_basic"; public static final String CLIENT_SECRET_POST = "client_secret_post"; public static final String CLIENT_SECRET_JWT = "client_secret_jwt"; public static final String PRIVATE_KEY_JWT = "private_key_jwt"; PRIVATE_KEY_JWT is referred from org.keycloak.authentication.authenticators.client.JWTClientAuthenticator::getProtocolAuthenticatorMethods(). Only PRIVATE_KEY_JWT are added for authentication method, while CLIENT_SECRET_JWT is referred from no classes. Does somebody know why keycloak does not support "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication ? (ex. security concerns, etc ...) And, does someone know whether there is any plan to implement this "client_secret_jwt" method for Client Authentication in JWS Client Assertion? Best Regards Takashi Norimatsu Hitachi, Ltd. _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user