Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-659

Add support for specifying client.secret using vault

XMLWordPrintable

    • Support for specifying client.secret using vault
    • False
    • Hide

      None

      Show
      None
    • False
    • RHBK-264 - Operator CRs for Clients
    • RHBK-264Operator CRs for Clients

      We need to support in Keycloak for specifying client.secret using Vault.

      For example, using the legacy rh-sso operator, we can define a secret like this in the following yaml:

      apiVersion: keycloak.org/v1alpha1
      kind: KeycloakClient
      metadata:
        name: test
        labels:
          app: sso
      spec:
        client:
          enabled: true
          id: test
          clientId: test
          secret: secret-in-clear-text                <-------------------- SEE HERE !
          name: test
          implicitFlowEnabled: false
          publicClient: false
          standardFlowEnabled: false
          directAccessGrantsEnabled: false
          serviceAccountsEnabled: true
          protocol: openid-connect
          attributes:
            access.token.lifespan: '28800'
        realmSelector:
          matchExpressions:
            - key: app
              operator: In
              values:
                - sso
          matchLabels:
            app: sso
      

      It will be good to replace secret: secret-in-clear-text with an actual secret or a value from the Vault.

      Currently, the Keycloak Vault SPI only supports selected areas (LDAP/SMTP/IDP passwords), hence Client Secrets is not one of them.
      Please see the documentation: https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.6/html/server_administration_guide/vault-administration

      cf. https://github.com/keycloak/keycloak/issues/13102

              Unassigned Unassigned
              mhajas@redhat.com Michal Hajas
              Votes:
              5 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated: