7:51 a.m.
Hi all,
I've noticed that when a client is created via the API, the caller can
set the client secret. However, on a client update API call, the
client secret can not be updated. I am aware that there is an API for
resetting the a client secret, and another for obtaining the new
secret. However, I was wondering if the ability to update a client
secret on a client update API call could be readdressed. Here is my
use case:
My company is writing a tool that allows us to configure keycloak via
configuration. One of the main uses is to be able to update the data
for a client for a given microservice in our deployment pipeline. If
we could update the client secret via an update call, then all
configuration could be set before a deployment: the keycloak client
secret in the tool configuration, and the client secret configuration
in the microservice. During deployment, this would minimize downtime.
Additionally, the tool is simplified, as it doesn't need to know how
the microservice handles it's configuration.
However, if we rely on the reset secret functionality, we either have to:
- Use the UI to reset the secret, put the new secret in the
microservice configuration, then deploy. This will create a good
amount of downtime for the microservice -> keycloak communication.
- Update the tool we are creating to use the reset API, fetch the new
secret, then automatically update the microservice configuration. This
is problematic, as our system is a polyglot system, and the tool would
need some complicated logic and per-microservice customizations to
programmatically update the given microservice's configuration during
deployment.
Again, being able to update a secret with a predefined value would
greatly simplify the tool development and deployment process.
Thoughts?
11:11 a.m.
You're right. It seems we don't have possibility to update the secret. I
agree that it might be useful for some cases. It can be set just during
client creation or realm import though.
It looks your possibility for now is to use either:
- use client creation or realm import instead of client update
- update your tool to retrieve the generated secret from client
- create custom REST endpoint, which will allow you to update client
including secret (See Keycloak docs and example in directory "providers"
on how to do that).
Feel free to create JIRA for it.
Marek
On 19/04/17 14:51, Brian Watson wrote:
Hi all,
I've noticed that when a client is created via the API, the caller can
set the client secret. However, on a client update API call, the
client secret can not be updated. I am aware that there is an API for
resetting the a client secret, and another for obtaining the new
secret. However, I was wondering if the ability to update a client
secret on a client update API call could be readdressed. Here is my
use case:
My company is writing a tool that allows us to configure keycloak via
configuration. One of the main uses is to be able to update the data
for a client for a given microservice in our deployment pipeline. If
we could update the client secret via an update call, then all
configuration could be set before a deployment: the keycloak client
secret in the tool configuration, and the client secret configuration
in the microservice. During deployment, this would minimize downtime.
Additionally, the tool is simplified, as it doesn't need to know how
the microservice handles it's configuration.
However, if we rely on the reset secret functionality, we either have to:
- Use the UI to reset the secret, put the new secret in the
microservice configuration, then deploy. This will create a good
amount of downtime for the microservice -> keycloak communication.
- Update the tool we are creating to use the reset API, fetch the new
secret, then automatically update the microservice configuration. This
is problematic, as our system is a polyglot system, and the tool would
need some complicated logic and per-microservice customizations to
programmatically update the given microservice's configuration during
deployment.
Again, being able to update a secret with a predefined value would
greatly simplify the tool development and deployment process.
Thoughts?
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2820
days inactive
2820
days old
1 comments
2 participants
participants (2)
-
Brian Watson -
Marek Posolda