Client secret: support seamless rotation #8475

stianst · 2021-09-24T09:48:50Z

stianst
Sep 24, 2021
Maintainer

Rejected in favour of #9156

Alternative proposal here: #9156

Best practices require secrets to be rotated on a regular basis. This is currently difficult to achieve since its not possible to seamlessly rotate client secrets as a client can only have a single secret at a time. This results in having to synchronously update both the client secret in Keycloak and in the application at the same time, which is in most cases very hard, if not impossible to achieve.

To support seamless rotation of client secrets Keycloak should support the ability to have a primary and a secondary secret for a client. In addition it should be possible to set an expiration time on the secondary secret.

When updating the client secret the Admin Console and Admin APIs should have the following options:

Setting a new primary secret. This will overwrite the primary secret, and make sure there is no secondary secret. This should be the default behaviour for backwards compatiblity.
Setting a new primary secret, and moving the current secret to the secondary secret. It should optionally be possible to set an expiration time on the secondary secret.

JIRA: https://issues.redhat.com/browse/KEYCLOAK-14567

jbman · 2021-09-24T11:32:56Z

jbman
Sep 24, 2021

Proposal: Provide explicit management for two or multiple secrets which are all valid if set. No need for primary and secondary semantics. An optional description ids helpful, to mark the secret as "current" or as "new one".
It is up to an admin to remove the unused client credential after a rotation phase. A timstamp with last usage would help to see when a secret wasn't in use for some time so that it could be removed.

2 replies

stianst Sep 24, 2021 8000
Maintainer Author

Was thinking about something like that, but from my perspective that seems more complicated both to use and implement.

Isn't a flow with a explicit new (primary) and and old (secondary) simpler to use? You then just follow these steps:

Generate new secret
Update application and verify
Commit

If you do ids and timestamps that means you need to remember what ID was the old one, to then remove that specific ID at the end, which seems completely unnecessary to me.

jbman Sep 24, 2021

The two manageable secrets is just the approach that is used for AWS access keys. I would prefer this atomic operations of secret creation and deletion. Convenience actions could be supported on top.

Start rotation: Checks that only one secret is defined. Sets a "previous" flag at this secret. Creates new secret and set a "next" flag.
Finish rotation: Deletes secret which has "previous" flag. Removes "next" flag from remaining secret.

ath88 · 2021-09-28T07:50:50Z

ath88
Sep 28, 2021

It would also be beneficial if Keycloak could emit some sort of warning when a 'deprecated' or 'secondary' key is used. That will make it easier to notice if a client hasn't been updated to use the new secret.

4 replies

jbman Sep 28, 2021

Warning to the client? That would be good but the OAuth protocol only defines successful authentication or an error. https://www.oauth.com/oauth2-servers/access-tokens/access-token-response/
Successful authentication with warning is difficult to achieve (i.e. not covered by the standard).

Warning to an Admin? At admin console client secret screen?

ath88 Sep 28, 2021

I was thinking just a warning event that can be emitted to an event listener - similar to other login events.

jbman Sep 29, 2021

I agree, if the secret gets a "deprecated" flag/state then such an event would be nice. However this would be some new kind of synthetic event in addition to the existing ones. Currently events like CLIENT_LOGIN or CODE_TO_TOKEN are emitted. In addition there could be an event like CLIENT_SECRET_DEPRECATED.

mposolda Oct 27, 2021
Maintainer

I am not sure about introducing another event type for this, however I agree that we can possibly add "detail" (attribute) to an existing events to inform that client authentication was done with the "deprecated" secret. This should be possible to do for any functionality, which uses client authentication (EG. code-to-token, refresh token, token introspection etc).

sschu · 2021-09-28T16:41:14Z

sschu
Sep 28, 2021
Collaborator

The way Azure AD does it is by allowing arbitrary numbers of secrets, each having an ID, a description and an expiration date. Pretty flexible, even allowing to give different secrets to different people with different expirations. But classic rotation has to be done by hand. Maybe that's a good compromise?

5 replies

stianst Sep 28, 2021
Maintainer Author

I think that's an overcomplicated way to do something that should be much simpler;

Start rotation
Update client and verify
Commit rotation

I'd argue that a client should only have a single credential, with the exception of during a rotation.

ath88 Sep 28, 2021

I agree with @stianst - even allowing an automatic commit once the new client key has been used once or a few times, or after a certain amount of time. Google Cloud does a similar thing for certificate rotation on a managed kubernetes cluster.

https://cloud.google.com/kubernetes-engine/docs/how-to/credential-rotation#performing_a_credential_rotation

sschu Sep 29, 2021
Collaborator

You could do things like use different secrets for teams that share a client. I asked around and most people just use different clients for different teams, so I don't think its strictly necessary. Just want to make it clear that this requirement wouldn't be supported.

sschu Sep 29, 2021
Collaborator

Thinking about it, there is another reason why Azure AD might have implemented it in this way. When you create a key, it only becomes visible shortly and you have to take note of it. If you fail to do that, you can still delete that key and add a new one. Assuming we also want to have that "only visible on creation", we should be really careful with how that works i.e. definitely allow to always create a new primary/secondary secret and not force to always switch to the other secret when changing secrets.

stianst Sep 29, 2021
Maintainer Author

We'll be adding support for hashing client secrets (#8455), which will make secrets only visible on create/update time, and not possible to retrieve later.

I think what I commented in #8475 should work in this case though. It prevents you from creating yet another secret until you have either cancelled or committed the first rotation.

stianst · 2021-09-28T17:27:14Z

stianst
Sep 28, 2021
Maintainer Author

Starting to wonder if we can do something smarter here; we can add new secret, and remove the old when the new one has been used. Or, if new isn't used within X minutes rollbacks to the old one and add an error event.

4 replies

jbman Sep 28, 2021

Devops teams may use one client for multiple applications, even though dedicated clients would be more secure. A first authentication with new credentials doesn't mean a that rotation is complete.
Auto-deletion of a secret would be possible based on usage. You could have a setting at the clientlike "Remove additional secrets if not used for more than X days: 10". This would remove the second secret, without the need for manual removal.
However I don't find this very critical. An old second secret could even stay valid. Instead of deleting it you can also reduce the time until you do next secret rotations to half the time.

We just need the possibility for devops teams to do automated rotation maybe even up to a daily rate. The approach doesn't need to be smart for that. You just need a minimum of two identifiable and manageable secrets. It helps if one is identified as "active" (via tag, label, description, etc. ). But even this is optional if you have creation time. Then you can derive the younger one as active before start of rotation.

stianst Sep 29, 2021
Maintainer Author

True, I think perhaps then a simper approach is better, where we basically support:

Update credentials - no rotation support
Start rotation - creates new secret, and marks the previous as deprecated
Cancel rotation - deletes the new secret, and re-enables the previous secret
Commit rotation - deletes the deprecated secret

"Start rotation" would optionally support a auto-commit after X minutes. It would also fail if a rotation is currently in progress, and would require doing either cancel or commit to do a new attempt.

mposolda Oct 27, 2021
Maintainer

Q: Do we need support for "Cancel rotation" ? Maybe initially not needed and add it just if there is explicit ask for that?

bs-matil Dec 15, 2021

@mposolda I think the "Cancel rotation" is important if you have a protocol error.
imagine a orchestrator e.g. a service which manages the secrets externally. This services updates credentials which succeeds in keycloak but the service fails internally. If this occurs you basically cant recover. The old secret is invalidated the new one lost.

mposolda · 2021-10-27T15:33:31Z

mposolda
Oct 27, 2021
Maintainer

Few questions:

Do we want support for "automatic" client secret rotation? Note that client registration [1] and client management [2] specifications have option client_secret_expires_at for this purpose. We currently don't properly support this and we always return 0, which means that secret is valid forever (or until explicitly replaced/rotated).

I suppose that if we want to support it, the "client read request" (either admin REST API or dynamic client registration read request) will need to return new client secret. But that may not be possible due the secret hashing proposal in the other discussion?

Do we also want the option to "set" the client secret with value client wants, or do we want only option for "re-generate" client secret?

Currently we have some "hybrid", which works in a way that:

Admin console has support only for "re-generate", not support for "set"
Export/Import and admin REST API has support also for "set" client secret

Regarding support for "set", the client management specification [2] does not allow clients to set their own secret. According to https://datatracker.ietf.org/doc/html/rfc7592#section-2.2 :

The client MUST NOT be allowed to overwrite its existing client secret with its own chosen value.

Currently we do not support "set" for client management, however we support it for REST API. That is maybe bit strange (even if formally it does not break specification).

On the other hand, skip possibility for "set" in admin REST endpoint will break backwards compatibility and will require really lots of test changes.

In shortcut: I am fine with keep current behaviour (regenerate in admin console, "set" support in REST endpoint only), but just wanted to doublecheck this...

[1] https://openid.net/specs/openid-connect-registration-1_0.html
[2] https://datatracker.ietf.org/doc/html/rfc7592#section-2.2

1 reply

jbman Oct 29, 2021

Regarding 1.: Unfortunately the spec [2] does not specify a client triggered secret re-generation, but only a server controlled via client_secret_expires_at. However the Client read request of [2] would need to do exactly that: a client triggered re-generate in case of a hashed client secret. So I would also say, that the client read request must regenerate the secret exactly IF hashed client secrets are configured (for the realm in general or for an individual client). Without that configuration the client secret should probably remain unchanged for backward compatibility.

Now there is still the option that re-generation as part of a Client read request is
a) a "Commit last rotation" and "Start rotation" operation or
b) just an "Update credentials" operation which immediately invalidates the previous secret

Option a) is nice, as two active secrets enable fully automatable credentials rotation in systems which may need to distribute the new secret to multiple nodes.

Regarding 2.:
Thank you for pointing out current possibilities for setting the client secret. I also think it's fine to allow setting a client secret via admin API while the registration endpoint doesn't allow it. Would even prefer to allow set via admin console if it is already allowed via API. Could have the hint that this should only be used for migrating existing client credentials into Keycloak.

igueye · 2021-11-26T10:11:17Z

igueye
Nov 26, 2021

One thing to note about a time based expiration is that it will be good for some use-cases, but for others it could possible lead to problems, especially in complex distributed systems. Communication links can be down and this might mean a system might keep using the old password for longer than the predicted expiration time that is set on the secondary secret (say if it's in minutes).. So, keycloak should also offer the user the ability to take control of the retirement of the old/second secret explicitly (i.e. expose a specific API call to retire the old secret for example).

0 replies

marcelomrwin · 2021-12-07T19:06:16Z

marcelomrwin
Dec 7, 2021

Reading through the discussions so far I'm quite inclined to think of a simpler solution. Here's a draft flow I've built based on what's been discussed so far (or at least as I understand it).

A first change would be to change the text from "Regenerate Secret" to "Rotate Secret". Another point would be to work with the concept of Primary and Secondary Secret (Names are only suggestive)
Up to this point it is basically no different from what we have today except for new names.
The difference starts when the Rotate Secret function is activated. At this time the two secrets will remain visible. (Important note regarding business rules at this time, for example: If there is a secondary secret active, the Rotate Secret button remains disabled. And other rules that are pertinent.)

As a suggestion we can offer two features with the secondary secret, Invalidate and/or Set an expiration date. The invalidate function, as its name makes clear, basically returns to the beginning of the flow but this time with the primary secret regenerated. The expire function must perform the same action but through a schedule. (Here's a question: How to notify users of a secret that will expire in X time?

5. We can keep a notice in the admin interface notifying the lifetime of the secondary secret.

0 replies

stianst · 2021-12-15T10:29:33Z

stianst
Dec 15, 2021
Maintainer Author

I've added an alternative proposal here: #9156

This introduces a realm level client secret policy instead of having the options at the client API level. I believe this is a far better approach than this one.

0 replies

eruvanos · 2025-01-07T08:32:39Z

eruvanos
Jan 7, 2025

Hi, is there any update on this topic?
The documentation states that it is still a feature in development and should not be used in production.

0 replies

Client secret: support seamless rotation #8475

Uh oh!

Uh oh!

stianst Sep 24, 2021 Maintainer

Replies: 9 comments · 16 replies

Uh oh!

Uh oh!

Uh oh!

stianst Sep 24, 2021 8000 Maintainer Author

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mposolda Oct 27, 2021 Maintainer

Uh oh!

sschu Sep 28, 2021 Collaborator

Uh oh!

stianst Sep 28, 2021 Maintainer Author

Uh oh!

Uh oh!

sschu Sep 29, 2021 Collaborator

Uh oh!

sschu Sep 29, 2021 Collaborator

Uh oh!

stianst Sep 29, 2021 Maintainer Author

Uh oh!

stianst Sep 28, 2021 Maintainer Author

Uh oh!

Uh oh!

Uh oh!

stianst Sep 29, 2021 Maintainer Author

Uh oh!

mposolda Oct 27, 2021 Maintainer

Uh oh!

Uh oh!

Uh oh!

mposolda Oct 27, 2021 Maintainer

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

stianst Dec 15, 2021 Maintainer Author

Uh oh!

stianst
Sep 24, 2021
Maintainer

Replies: 9 comments 16 replies

stianst Sep 24, 2021 8000
Maintainer Author

mposolda Oct 27, 2021
Maintainer

sschu
Sep 28, 2021
Collaborator

stianst Sep 28, 2021
Maintainer Author

sschu Sep 29, 2021
Collaborator

sschu Sep 29, 2021
Collaborator

stianst Sep 29, 2021
Maintainer Author

stianst
Sep 28, 2021
Maintainer Author

stianst Sep 29, 2021
Maintainer Author

mposolda Oct 27, 2021
Maintainer

mposolda
Oct 27, 2021
Maintainer

stianst
Dec 15, 2021
Maintainer Author