-
Epic
-
Resolution: Unresolved
-
Major
-
None
-
None
We need to support in Keycloak for specifying client.secret using Vault.
For example, using the legacy rh-sso operator, we can define a secret like this in the following yaml:
apiVersion: keycloak.org/v1alpha1 kind: KeycloakClient metadata: name: test labels: app: sso spec: client: enabled: true id: test clientId: test secret: secret-in-clear-text <-------------------- SEE HERE ! name: test implicitFlowEnabled: false publicClient: false standardFlowEnabled: false directAccessGrantsEnabled: false serviceAccountsEnabled: true protocol: openid-connect attributes: access.token.lifespan: '28800' realmSelector: matchExpressions: - key: app operator: In values: - sso matchLabels: app: sso
It will be good to replace secret: secret-in-clear-text with an actual secret or a value from the Vault.
Currently, the Keycloak Vault SPI only supports selected areas (LDAP/SMTP/IDP passwords), hence Client Secrets is not one of them.
Please see the documentation: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/vault-administration