Description
Description
Current admin client implementation only supports 3 options for authentication:
- Basic username & password - usually considered insecure
- Client ID and client secret - good and simple option, but not most secure
- Already existing access token - access token has to be managed outside of the client, and the client instance has to be recreated after every access token expiration
But the most secure way for client authentication, with signed JWT, is not supported, and we'd like to see it implemented or at least be able to override default TokenManager implementation with our own and pass it to the admin client.
Discussion
No response
Motivation
One of our client applications is using Keycloak java admin client to make changes in Keycloak realms based on all kind of business events. Though one of the security requirements in the organisation is to only use signed JWT (client assertion) for client authentication. Basic and client secret are discouraged.
Details
I believe there are 2 things that could be done to improve this and make it future-proof:
- Add a way to inject a custom TokenManager implementation into Keycloak instance.
- Provide out-of-the-box
TokenManagerimplementation that supports signed JWT authentication and manages access token lifecycle automatically
I'm open to contributing by implementing this.