Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-659

Add support for specifying client.secret using vault

XMLWordPrintable

    • Support for specifying client.secret using vault
    • False
    • Hide

      None

      Show
      None
    • False
    • RHBK-264 - Operator CRs for Clients
    • RHBK-264Operator CRs for Clients

      We need to support in Keycloak for specifying client.secret using Vault.

      For example, using the legacy rh-sso operator, we can define a secret like this in the following yaml:

      apiVersion: keycloak.org/v1alpha1
kind: KeycloakClient
metadata:
  name: test
  labels:
    app: sso
spec:
  client:
    enabled: true
    id: test
    clientId: test
    secret: secret-in-clear-text                <-------------------- SEE HERE !
    name: test
    implicitFlowEnabled: false
    publicClient: false
    standardFlowEnabled: false
    directAccessGrantsEnabled: false
    serviceAccountsEnabled: true
    protocol: openid-connect
    attributes:
      access.token.lifespan: '28800'
  realmSelector:
    matchExpressions:
      - key: app
        operator: In
        values:
          - sso
    matchLabels:
      app: sso

      It will be good to replace secret: secret-in-clear-text with an actual secret or a value from the Vault.

      Currently, the Keycloak Vault SPI only supports selected areas (LDAP/SMTP/IDP passwords), hence Client Secrets is not one of them.
      Please see the documentation: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/vault-administration

      cf. https://github.com/keycloak/keycloak/issues/13102

            Unassigned Unassigned
            mhajas@redhat.com Michal Hajas
            Votes:
            5 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated: