Narrative

Regular rotation of client secrets is an important aspect of keeping a deployment of Keycloak secure. However, there is one complicating factor of rotating secrets, which is that it is almost impossible to co-ordinate the update of the secret in Keycloak and in the application to happen simultaneously. This results in the need to support the new and the old secret for some overlapping period.

Client secret rotation was introduced as a tech preview feature in Keycloak 18 to provide a solution to the above problem.

Relevant documentation is available in the server admin guide.

Value Proposition

• Allows seamlessly rotating client secrets without disruptions to the client
• Regular rotation of secrets is a good security practice
• Making the feature supported makes it possible to use this feature in production deployments

Acceptance Criteria

• Review client secret rotation preview feature to consider if it is ready to graduate to a fully supported feature
• Resolve any important open bugs reported against the feature
• Feature mark as fully supported and enabled by default