[keycloak-dev] Suggestion of fields covered by Vault SPI

Stian Thorgersen sthorger at redhat.com
Fri Aug 23 07:10:09 EDT 2019


On Fri, 23 Aug 2019 at 12:11, Michal Hajas <mhajas at redhat.com> wrote:

> Thank you for responding Stian. Comments below.
>
> On Thu, Aug 22, 2019 at 1:58 PM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
> >  - Client secret (should be easy)
> >>
> >
> > -1 We should recommend jwt auth or mtls here instead as it provides
> better
> > security. When those are used Keycloak only stores the public part so
> > doesn't need to be stored securely.
> >
> > Well, you are right. Why do we have secrets then? Can it be removed and
> replaced by jwt or mtls?
>
> >
> >> There are also other fields which we were considering, however, we
> decided
> >> not to add them for now. Feel free to comment on any of these fields or
> >> suggest new once. We are open to add any new fields in case of
> reasonable
> >> arguments.
> >>
> >>  - KeyProviders - This part should be probably added soon as some
> >> follow-up
> >> work. It might be a little bit tricky as we don't want to duplicate each
> >> KeyProvider with its Vaul*KeyProvider version.
> >>
> >
> > Can't we just add an option to existing providers to be able to load keys
> > from the vault?
> >
>
> I am sure there is a possibility of how to do it in an elegant way. I
> haven't investigated it yet (maybe some else have). The question at the
> moment is, whether to include it in the initial implementation or do it as
> follow-up work.
>

Follow-up


>
> >
> >  - Credential Attributes
> >>
> >
> > What credential attributes? Can you give some examples here?
> >
>
> I was not sure what exactly is stored in there, so I rather put it here to
> obtain feedback if somebody knows about something which is worth storing in
> the vault.
>
> >
> >  - Federated User Credentials
> >>
> >
> > These are just stored as hashed passwords right? As user credentials they
> > should be encrypted in db not stored in the vault.
> >
>
>  It should be the same as User Credentials
>

As a general note credentials/secrets for users and clients should not be
stored in the vault, and should rather be encrypted at rest in the
database. As always things can be discussed, but I would like to have a
good explanation before we support loading any credentials from the vault
into a user or client.


> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list