[keycloak-user] Updating a client secret

[Brian Watson]

Hi all,

I've noticed that when a client is created via the API, the caller can
set the client secret. However, on a client update API call, the
client secret can not be updated. I am aware that there is an API for
resetting the a client secret, and another for obtaining the new
secret. However, I was wondering if the ability to update a client
secret on a client update API call could be readdressed. Here is my
use case:

My company is writing a tool that allows us to configure keycloak via
configuration. One of the main uses is to be able to update the data
for a client for a given microservice in our deployment pipeline. If
we could update the client secret via an update call, then all
configuration could be set before a deployment: the keycloak client
secret in the tool configuration, and the client secret configuration
in the microservice. During deployment, this would minimize downtime.
Additionally, the tool is simplified, as it doesn't need to know how
the microservice handles it's configuration.

However, if we rely on the reset secret functionality, we either have to:
- Use the UI to reset the secret, put the new secret in the
microservice configuration, then deploy. This will create a good
amount of downtime for the microservice -> keycloak communication.
- Update the tool we are creating to use the reset API, fetch the new
secret, then automatically update the microservice configuration. This
is problematic, as our system is a polyglot system, and the tool would
need some complicated logic and per-microservice customizations to
programmatically update the given microservice's configuration during
deployment.

Again, being able to update a secret with a predefined value would
greatly simplify the tool development and deployment process.

Thoughts?