[keycloak-user] Updating a client secret

Marek Posolda mposolda at redhat.com
Wed Apr 19 12:11:43 EDT 2017


You're right. It seems we don't have possibility to update the secret. I 
agree that it might be useful for some cases. It can be set just during 
client creation or realm import though.

It looks your possibility for now is to use either:
- use client creation or realm import instead of client update
- update your tool to retrieve the generated secret from client
- create custom REST endpoint, which will allow you to update client 
including secret (See Keycloak docs and example in directory "providers" 
on how to do that).

Feel free to create JIRA for it.

Marek

On 19/04/17 14:51, Brian Watson wrote:
> Hi all,
>
> I've noticed that when a client is created via the API, the caller can
> set the client secret. However, on a client update API call, the
> client secret can not be updated. I am aware that there is an API for
> resetting the a client secret, and another for obtaining the new
> secret. However, I was wondering if the ability to update a client
> secret on a client update API call could be readdressed. Here is my
> use case:
>
> My company is writing a tool that allows us to configure keycloak via
> configuration. One of the main uses is to be able to update the data
> for a client for a given microservice in our deployment pipeline. If
> we could update the client secret via an update call, then all
> configuration could be set before a deployment: the keycloak client
> secret in the tool configuration, and the client secret configuration
> in the microservice. During deployment, this would minimize downtime.
> Additionally, the tool is simplified, as it doesn't need to know how
> the microservice handles it's configuration.
>
> However, if we rely on the reset secret functionality, we either have to:
> - Use the UI to reset the secret, put the new secret in the
> microservice configuration, then deploy. This will create a good
> amount of downtime for the microservice -> keycloak communication.
> - Update the tool we are creating to use the reset API, fetch the new
> secret, then automatically update the microservice configuration. This
> is problematic, as our system is a polyglot system, and the tool would
> need some complicated logic and per-microservice customizations to
> programmatically update the given microservice's configuration during
> deployment.
>
> Again, being able to update a secret with a predefined value would
> greatly simplify the tool development and deployment process.
>
> Thoughts?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user




More information about the keycloak-user mailing list