[keycloak-dev] Suggestion of fields covered by Vault SPI

Stian Thorgersen sthorger at redhat.com
Thu Aug 22 07:57:47 EDT 2019 

On Thu, 22 Aug 2019, 08:30 Michal Hajas, <mhajas at redhat.com> wrote:

> Hi all,
>
> we are getting together fields that can obtain their value from the vault.
> We decided to start with a small subset of fields and then add more
> if needed.
>
> Suggested subset is following:
>  - SMTP password
>  - LDAP password
>  - Identity provider secret
>

+1 to all above

 - Client secret (should be easy)
>

-1 We should recommend jwt auth or mtls here instead as it provides better
security. When those are used Keycloak only stores the public part so
doesn't need to be stored securely.


> There are also other fields which we were considering, however, we decided
> not to add them for now. Feel free to comment on any of these fields or
> suggest new once. We are open to add any new fields in case of reasonable
> arguments.
>
>  - KeyProviders - This part should be probably added soon as some follow-up
> work. It might be a little bit tricky as we don't want to duplicate each
> KeyProvider with its Vaul*KeyProvider version.
>

Can't we just add an option to existing providers to be able to load keys
from the vault?

 - Saml keys (private key for signing, encryption)
>

OIDC keys as well. Let's do this on demand though as I'm not convinced this
belongs in the vault, but should rather be encrypted.


 - External tokens from identity brokering
>

Tokens doesn't belong in the vault. They should be stored encrypted in the
db.


 - User credentials (hashed passwords, OTP secrets, etc.)
>

User credentials should not be stored in the vault. They should be
encrypted in the db. Further I don't think it's needed to even encrypt.
Passwords are hashed. OTP secrets have their limitation anyways and the
future is webauthn which means Keycloak only stores the public key.

 - Credential Attributes
>

What credential attributes? Can you give some examples here?

 - Federated User Credentials
>

These are just stored as hashed passwords right? As user credentials they
should be encrypted in db not stored in the vault.

 - Federated User Credential Attributes
>
> Best regards,
> Michal
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

More information about the keycloak-dev mailing list