Skip to content

Support Signed JWT #6

New issue
New issue
Open
Open
Support Signed JWT#6
@torbsto

Description

@torbsto
torbsto
opened on Feb 23, 2024

There are different ways how Keycloak can authenticate a client (that is, not the user but the backend or frontend). So far we use a client secret but we also need to support signed JWT.
Here, the client (!) generates a private/public key pair, creates a JWT and signs it with the private key. Additionally, Keycloak needs to know about the public key. There are two options: 1) Upload the key manually. 2) An admin can configure a URL where Keycloak can fetch the cert. This allows rotating keys without having to reconfigure Keycloak and is therefore preferred.

I've made a working PoC how this can be achieved: https://github.com/bakdata/python-keycloak-oauth/pull/5/files

I think the following things are missing:

  • Endpoint for the public key
  • A utlitly to read a cert and extract the public key
  • An abstraction over the auth_method (maybe we can just add all those arguments to client_kwargs already?)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions