[keycloak-dev] Pluggable client authentication, Support for client authentication with signed JWT

Marek Posolda mposolda at redhat.com
Tue Aug 18 02:58:00 EDT 2015 

I've sent PR https://github.com/keycloak/keycloak/pull/1545 for 
#subject. Few main points:
- Authentication of OIDC clients is now pluggable. I've added 
ClientAuthenticationSPI and some support classes like 
ClientAuthenticator . There is also new flow type 
ClientAuthenticationFlow as there are some differences between 
authenticating clients and users (ie. for clients you don't have 
ClientSession available etc).

- There is new builtin flow "clients" added automatically, which can be 
seen in "Authentication" tab in admin console . By default it has 2 
executions:
-- Traditional authentication with client_id and client_secret
-- Authentication with signed JWT . It works in a way that client 
generates JWT and signs it with his private key . Keycloak then verifies 
signature with public key attached to the certificate corresponding to 
client . Related specifications: [1] and [2] . I've implemented 6.1 and 
6.2 from the [1], which means that clients are able to authenticate 
themselves for retrieve service accounts (ie. "grant_type" is 
"client_credentials" ), but also authenticate themselves for all other 
backchannel requests (code-to-token, refresh token etc)

- In "Credentials" tab in admin console for Client is table with 
available authentication mechanism. Admin needs to choose "Client Id and 
Secret" or "Signed JWT" . For signed JWT he can either:
-- generate keypair + certificate and download his private key into JKS 
or PKCS12 keystore file
-- upload the certificate corresponding to his existing private key .
In both cases is Client's private key not saved in Keycloak DB as 
discussed in other thread last week. So just the client is exclusive 
owner of his private key and when he loose it, he needs to generate and 
download another one.


Possible remaining work:
1) Adapters support?  I am thinking about adding simple pluggable SPI 
for client authentication on adapter side. It will be ServiceLoader 
based and it will choose client authentication mechanism based on the 
credentials provided in keycloak.json in webapp. For example when there is:

"credentials": {
     "secret": "password"
}

it uses traditional clientId and clientSecret like now.

When there is:

"credentials": {
     "jwt": {
         "keystoreFile": "classpath:keystore/keystore.jks",
         "keystoreType": "JKS",
         "storePassword": "secret",
         "keyPassword": "secret",
         "tokenExpiration": 10
     }
}

it will authenticate client with signed JWT . WDYT?


2) Example, docs, polishing, maybe adapter tests . But most of automated 
testing is done already. I've added ClientAuthSignedJWTTest for testing 
signed JWT and CustomFlowTest for testing custom client authentication flow.


ETA for 1 and 2 are maybe 2-3 days of work. I will show more on the call 
on Thursday. WDYT?

Marek


[1] https://tools.ietf.org/html/draft-ietf-oauth-assertions-01
[2] https://tools.ietf.org/html/draft-jones-oauth-jwt-bearer-03

More information about the keycloak-dev mailing list