Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-13933

Client Policies

    XMLWordPrintable

Details

    • Client Policies
    • Done
    • NEW
    • NEW

    Description

      To make it easy to secure client applications, it is beneficial to realize the following three points in a unified way.

      1. Setting policies on what configuration a client can have
      2. Validation of client configurations
      3. Conformance to a profile such as FAPI

      1 and 2 have been realized by the current keycloak, but not flexible and comprehensive.

      To realize these three points in a unified way, here "Client Policies" concept is introduced.

      3 will be realized by Client Conformance Profiles based on this "Client Policies". It discusses which kind of security profiles like FAPI are supported and how to implement them.

      Attachments

        Issue Links

          1.
          Client Policy : Basics Sub-task Closed Major Unassigned
          2.
          Client Policy - Condition : The way of creating/updating a client Sub-task Closed Major Unassigned
          3.
          Client Policy - Condition : Author of a client - User Group Sub-task Closed Major Unassigned
          4.
          Client Policy - Condition : Author of a client - User Role Sub-task Closed Major Unassigned
          5.
          Client Policy - Condition : Client - Client Access Type Sub-task Closed Major Unassigned
          6.
          Client Policy - Condition : Client - Client Domain Name Sub-task Closed Major Unassigned
          7.
          Client Policy - Condition : Client - Client Role Sub-task Closed Major Unassigned
          8.
          Client Policy - Condition : Client - Client Scope Sub-task Closed Major Unassigned
          9.
          Client Policy - Condition : Client - Client Host Sub-task Closed Major Unassigned
          10.
          Client Policy - Condition : Client - Client IP Sub-task Closed Major Unassigned
          11.
          Client Policy - Executor : Enforce more secure client authentication method when client registration Sub-task Closed Major Unassigned
          12.
          Client Policy - Executor : Enforce Holder-of-Key Token Sub-task Closed Major Unassigned
          13.
          Client Policy - Executor : Enforce Proof Key for Code Exchange (PKCE) Sub-task Closed Major Unassigned
          14.
          Client Policy - Executor : Enforce secure signature algorithm for Signed JWT client authentication Sub-task Closed Major Unassigned
          15.
          Client Policy - Executor : Enforce HTTPS URIs Sub-task Closed Major Unassigned
          16.
          Client Policy - Executor : Enforce Request Object satisfying high security level Sub-task Closed Major Unassigned
          17.
          Client Policy - Executor : Enforce Response Type of OIDC Hybrid Flow Sub-task Closed Major Unassigned
          18.
          Client Policy - Executor : Enforce more secure state and nonce treatment for preventing CSRF Sub-task Closed Major Unassigned
          19.
          Client Policy - Executor : Enforce more secure client signature algorithm when client registration Sub-task Closed Major Unassigned
          20.
          Client Policy : Pre-set Policies (including FAPI preset policies) Sub-task Closed Major Marek Posolda
          21.
          Client Policy : UI on old Admin Console Sub-task Closed Major Marek Posolda
          22.
          Client Policy : Extends Policy Interface to Migrate Client Registration Policies Sub-task Closed Major Unassigned
          23.
          Client Policy - Condition : Client - Any Client Sub-task Closed Major Unassigned
          24.
          Client Policy : Support New Admin REST API (Implementation) Sub-task Closed Major Unassigned
          25.
          Client Policy : Implement existing "ConsentRequiredClientRegistrationPolicy" as Client Policies' executor Sub-task Closed Major Unassigned
          26.
          Client Policy : Implement existing "ScopeClientRegistrationPolicy" as Client Policies' executor Sub-task Closed Major Marek Posolda
          27.
          Client Policy - Condition : Negative Logic Support Sub-task Closed Major Unassigned
          28.
          Client Policy : Refactor Test Class Sub-task Closed Major Unassigned
          29.
          Client Policy - Executor : Limiting available period of Request Object Sub-task Closed Major Unassigned
          30.
          Client Policy - Executor : Only Accept Confidential Client Sub-task Closed Major Unassigned
          31.
          SecureSigningAlgorithmEnforceExecutor: Ability to auto-configure default algorithm Sub-task Closed Major Unassigned
          32.
          Use "auto-configure" instead of "is-augment" Sub-task Closed Major Marek Posolda
          33.
          Determine public client based on "token_endpoint_auth_method" during OIDC dynamic client registration Sub-task Closed Major Unassigned
          34.
          SecureSigningAlgorithmForSignedJwtEnforceExecutor polishing for FAPI Sub-task Resolved Major Unassigned
          35.
          Use KeycloakSession.getComponentProvider for executors and conditions to achieve good performance Sub-task Closed Major Marek Posolda
          36.
          Not possible to create client in the admin console when client policy with "secure-redirecturi-enforce-executor" condition is used Sub-task Closed Major Unassigned
          37.
          Enable Client policies feature by default Sub-task Closed Major Marek Posolda
          38.
          Remove support for built-in client policies Sub-task Closed Major Marek Posolda
          39.
          Client Policy UI Improvements: Executors and Conditions Sub-task Closed Major Václav Muzikář
          40.
          Client Policy UI Improvements: Action column for built-in profile Sub-task Closed Optional Václav Muzikář
          41.
          Client Policy UI Improvements: Add delete confirmation modal dialog Sub-task Closed Minor Václav Muzikář
          42.
          Client Policy UI Improvements: Navigation Sub-task Closed Minor Václav Muzikář
          43.
          Client Policy: UI tests (old Admin Console) Sub-task Closed Major Václav Muzikář
          44.
          SecureRequestObjectExecutor: support for skip nbf check Sub-task Closed Major Unassigned
          45.
          Client Policy UI Improvements: JSON error handling Sub-task Closed Major Václav Muzikář
          46.
          Configuration of executor of incorrect profile is used when two profiles with executor of same type Sub-task Closed Major Marek Posolda
          47.
          Refactor some executor/condition provider IDs Sub-task Closed Major Marek Posolda
          48.
          Option for skip return user's claims in the ID Token for hybrid flow Sub-task Closed Major Unassigned
          49.
          SecureResponseTypeExecutor: polishing for FAPI 1 final Sub-task Closed Major Unassigned
          50.
          Issues with boolean properties of executors Sub-task Closed Major Marek Posolda
          51.
          RefreshTokenRequest returns incorrect error code during failed HoK request Sub-task Closed Major Unassigned

          Activity

            People

              mposolda@redhat.com Marek Posolda
              tnorimat Takashi Norimatsu
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: