Add support for looking up client secrets via Vault SPI #39650
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If vault SPI is defined, lookup client secret (and rotated client secret) from vault implementation. Signed-off-by: Tero Saarni <tero.saarni@est.tech>
e70f337 to
2cdc36d
Compare
|
Hi @mhajas, I noticed that you had opened an issue requesting this feature a few years ago. I’m interested in contributing it and would be glad to continue working on it. Before proceeding, I wanted to check if this is still a feature you'd consider including in Keycloak? |
|
Thank you for the PR @tsaarni. I would say it still makes sense to include this since it is highly upvoted issue. I would be happy to help or find someone else who would be willing to help. I will have a look at the changes later this week. Let me know if you need something else at this stage. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for resolving client secrets via the Vault SPI, enabling retrieval from secure storage instead of storing them in plaintext in the database. While the Vault SPI has some usability limitations, this approach is less invasive than alternatives like hashing or introducing new encrypt/decrypt SPI. It also preserves the plaintext access to the secret, which is required by existing use cases.
Notes:
(1) At the moment, the admin console only supports generating new random client secrets. There is no way for administrators to specify a vault reference value. However, the Admin REST API does support setting the client secret explicitly, including reference valu 8000 es. To fully support this feature, the admin console will need to be extended to allow entering reference values as well. Note: If a new random client secret is generated via the admin console, it will overwrite the existing reference.
(2) The client secret rotation feature introduces additional complexity. Triggering rotation will overwrite any reference-based secret with a newly generated random secret.
(3) Since the client secret may be accessed frequently, using a remote Vault SPI implementation with network communication can introduce latency. To avoid repeated lookups, Vault SPI implementation may choose to add caching.
TODO
Fixes #13102