[keycloak-user] OIDC Client Secret Encryption

Reese Garth reese.garth at indexexchange.com
Wed Jun 26 10:01:55 EDT 2019


Hi,

I have APIs that I’d like to give programmatic access to partners and I have some questions on how best to use Keycloak to facilitate this. From the research I’ve done, it seems that the best method is to use the client credentials grant where each partner can create a new client in Keycloak and have their app authenticate as that client to access the APIs. My largest hesitation with using this method is that the client secret is stored in plaintext and is visible in the admin UI.


  1.  Is there a particular reason the generated client secret is stored in plaintext? I’m assuming there is, but I can’t figure out what it would be.
  2.  Is there any possibility to add encrypted client secrets as a feature in the future?
  3.  Are there any alternatives/best practices for programmatic access that makes use of Keycloak?

Thanks for your time,
Reese


CONFIDENTIALITY NOTICE AND DISCLAIMER : This telecommunication, including any and all attachments, contains confidential information intended only for the person(s) to whom it is addressed. Any dissemination, distribution, copying or disclosure is strictly prohibited and is not a waiver of confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return electronic mail and delete the message from your inbox and deleted items folders. This telecommunication does not constitute an express or implied agreement to conduct transactions by electronic means, nor does it constitute a contract offer, a contract amendment or an acceptance of a contract offer. Contract terms contained in this telecommunication are subject to legal review and the completion of formal documentation and are not binding until same is confirmed in writing and has been signed by an authorized signatory.


More information about the keycloak-user mailing list