Client secret policies to support secret rotation #9156

stianst · 2021-12-15T10:28:35Z

stianst
Dec 15, 2021
Maintainer

This proposal is a different take on supporting rotation of client secrets (#8475). In the previous proposal the client secret rotation was handled at the client update APIs, while in this proposal it is a realm level policy.

https://github.com/keycloak/keycloak-community/blob/main/design/client-secret-rotation.md

bs-matil · 2021-12-15T11:17:23Z

bs-matil
Dec 15, 2021

I saw in the other discussion you are going to implement hashed client secrets (#8455).

In the policy case the expiration and creation happens in a background task right? How does this go along with hashed secrets? Will they be promoted as a special Event or pushed in a transaction to webhook target or something like that? How do external systems get aware of the new secret in this case?

Will hashed secrets only work in a "external" secret store case than? And will the API create the secret in the external store but keep only a hash for keycloak locally.

I may got a bit confused and I am totally on the wrong page here.

10 replies

mposolda Dec 15, 2021
Maintainer

Yes, I am wondering about have the settings of Secret expiration and Rotated secret expiration can be configured as client policy executor rather than realm-wide switches?

Using client policies can mean that different clients in the realm can have different settings (EG. client secret rotation is disabled for some clients and enabled for different clients).

stianst Dec 15, 2021
Maintainer Author

Yeah, I like that. Let's not have a realm level config, and just make this a client policies thing.

jbman Dec 15, 2021

Thank you all, think I got it now after looking at the structure of client policies.

A client policy executor will allow to define expiration settings for clients.
A client profile allows to bundle policy executors
The client policy defines the clients where client profiles are applied

sschu Dec 16, 2021
Collaborator

I was wondering where exactly the border between client policies and client types will be? Looks like they can do similar things…

jxsl13 Jan 21, 2022

in case of multiple thousands of clients would it be feasible to have client group policies for that?
is there anything like that in Keycloak?

mposolda · 2021-12-15T14:59:30Z

mposolda
Dec 15, 2021
Maintainer

There is one small thing, which looks to me a bit cumbersome. That is the case when you use OIDC client registration and at the same time, you have client secret hashing enabled.

As we discussed in the morning and you pointed in the example, this won't work with client GET request, which won't be able to return plain-text secret due the fact it is hashed. Hence client will need to use "client update" request. And that thing looks bit cumbersome to me due the fact that "Client update" request will need to copy all the other JSON stuff of the client. The specification https://datatracker.ietf.org/doc/html/rfc7592#section-2.2 mentions:

This request MUST include all client metadata fields as returned to
the client from a previous registration, read, or update operation.

So client will effectively need first call "GET" to return the current client JSON data and then call "UPDATE" with same JSON data just to enforce client secret rotation and return new client secret.

I am just pointing this, but I don't have any better idea to solve this. It seems the periodic client secret rotation with client secret hashing is just not ideal combination ... :-/

6 replies

jbman Dec 15, 2021

In addition to the update possibility specified by the standard, a PUT on sub-resource could be supported. With the data from the example at https://datatracker.ietf.org/doc/html/rfc7592#section-2.2 this would look like this:

PUT /register/s6BhdRkqt3/secret HTTP/1.1
 Accept: text/plain; charset=UTF-8
 Host: server.example.com
 Authorization: Bearer reg-23410913-abewfq.123483

 cf136dc3c1fc93f31185e5885805d

It's also a pattern which could help at other places where GET/PUT is needed to retain all data in case of an update (e.g. user attributes, realm attributes)

8000

mposolda Dec 15, 2021
Maintainer

Well, currently we return client secret from GET requests. I don't see any issues with that as both client registration [1] and client management [2] supports returning client secrets and contain examples with client_secret as returned field.

With client secret hashing enabled, we will need to skip returning secrets. But as I mentioned, I don't have any better proposal for the case when hashing is enabled...

In fact, enabled hashing means, that administrator with rights to read-client won't be ever able to read the client secret. Secret will be visible only to administrators with manage-client rights as it is returned only from POST/PUT requests. I see it as a feature and increased security.

[1] https://openid.net/specs/openid-connect-registration-1_0.html#ReadRequest
[2] https://datatracker.ietf.org/doc/html/rfc7592#section-2.1

mposolda Dec 15, 2021
Maintainer

In addition to the update possibility specified by the standard, a PUT on sub-resource could be supported. With the data from the example at https://datatracker.ietf.org/doc/html/rfc7592#section-2.2 this would look like this:

This sub-resource PUT approach is maybe something to consider for the new Keycloak admin REST API. In this particular case, it likely won't help much as OIDC/OAuth2 specifications prescribes how the CRUD requests look like and there is not sub-resource approach supported AFAIK

jbman Dec 16, 2021

I assume there aren't many vendors anyway who make use of the RFC7592 for client management but rather many operated setup where a team needs to implement a manual or automated process for setting a new secret. An additional endpoint will not break standard compatibility and it would be usable for to set a new secret in a convenient way.
I agree that it should match with patterns for a new Keycloak admin REST API, that's why I mentioned that other resources could provide a similar way for update.

mposolda Dec 17, 2021
Maintainer

Yeah, I see. However in cases when people does not need to be OIDC specs compliant, it is likely better idea for them to use Admin REST API directly? AFAIK the new admin REST API plans to have something like your idea for sub-resources. Regarding old admin REST API, it already has an endpoint for update only client secret. This is the endpoint, which is currently used by admin console when you go to Client -> tab Credentials and you click Re-generate secret .

My original point was related to those cases when people needs to be OIDC specs compliant and hence need to use endpoints described in the specification.

mposolda · 2022-01-18T16:35:42Z

mposolda
Jan 18, 2022
Maintainer

@stianst I have one more additional question when reading more through this: How will Keycloak determine if client-update request should rotate secret or not? For example OIDC dynamic client registration specification does not allow to provide your own "client-secret" and it does not have any way to tell the server if secret should be rotated or not during update request.

One possibility is to rotate client secret during each client update request. But this is not ideal as administrator often wants to update client without need to always update client secret.

Better possibility is to introduce another option to "client secret policy" to control the timeout, which specifies that client update request will update the client secret just if current secret has low time to expiration. Something like Remaining time to update (maybe some nicer name). This is timeout in seconds.

One example how it can work, Client expiration is 30 days and Remaining time to update is 10 days.

Client is generated at time 0
Client update request will be sent by administrator after 10 days. Secret is not updated at this point as it is still 20 days remaining to expire
Another client update request will be sent by administrator after next 11 days (21 days from the start). Secret is updated at this point as it is only 9 days remaining for secret expiration. New secret is sent in the client-update response.

WDYT?

0 replies

jxsl13 · 2022-01-21T10:22:00Z

jxsl13
Jan 21, 2022

Assuming we have one client application running on multiple target hosts doing whatever they need to do.
Reporting metrics, executing tasks, etc. Imagine something along the lines of an AWS EC2 auto scaling groups.

How would that be handled, how do multiple service instances update their shared client secret together?

Is there a need to have two expiration times?
One for when the ability to fetch tokens expires and another expiration period for when the target client is not allowed to fetch their new client secret?

Are clients supposed to update their own secrets or is that a third party application that is supposed to do that?

RFC :)

0 replies

luisalves00 · 2022-03-16T17:17:07Z

luisalves00
Mar 16, 2022

Could Keycloak have the same approach as azure?

e.g.:

Instead of single secret the have a list of them, so it's easy to generate a new one and then update client application when possible. Then the have that expire date, but they don't really expire the secret (this could potentially stop productive applications). It's more like a warning for you to take some action and change the current used secret.

0 replies

marcelomrwin · 2022-03-17T09:22:11Z

marcelomrwin
Mar 17, 2022

I understand that one of the reasons to enable client secret rotation is security and simplicity. The concern that an eventual leak of the client secret will be quickly mitigated. Keeping multiple versions of client secrets can be a challenge for an administrator and I think that once the secret has been rotated it should have a short enough lifetime to expire and somehow force applications to update the secret in use. Please take a look at https://github.com/keycloak/keycloak-community/blob/main/design/client-secret-rotation.md and see how we implement this functionality. Suggestions and contributions are always welcome.

0 replies

mpugge · 2022-06-28T16:11:27Z

mpugge
Jun 28, 2022

@marcelomrwin of course the security concerns about keeping multiple key versions indefinitely are reasonable, but I think that Keycloak should give also the option of a simple key rotation like in azure (or e.g. in AWS IAM user credentials).

too many times security policies fall from above without considering many common use cases that at least in some environments do not pose any risk. for example think about the old discussion on supporting wildcards in the redirect urls.

it should be ultimately an admin choice, not a developer one, to accept a marginally less secure configuration if the use case calls for it.

2 replies

mpugge Jun 28, 2022

I mean, the current approach would even be more than acceptable if we had the option to never expire the current (new) secret.

mpugge Jul 6, 2022

created pull request client-secret-rotation, allowing no expiration for new secret #12937

wdutton04 · 2025-06-24T15:50:38Z

wdutton04
Jun 24, 2025

Is this ever going to come out of PREVIEW ? I see this was merged into main quite some time ago, and there should really be a way to rotate these secrets without having any downtime of the application using it. Are there other best practices to follow to do this? Otherwise, I am worried to use a feature that has been in preview for a few years now.

0 replies

Client secret policies to support secret rotation #9156

Uh oh!

Uh oh!

stianst Dec 15, 2021 Maintainer

Replies: 8 comments · 18 replies

Uh oh!

Uh oh!

mposolda Dec 15, 2021 Maintainer

Uh oh!

stianst Dec 15, 2021 Maintainer Author

Uh oh!

Uh oh!

Uh oh!

sschu Dec 16, 2021 Collaborator

Uh oh!

Uh oh!

mposolda Dec 15, 2021 Maintainer

Uh oh!

Uh oh!

Uh oh!

mposolda Dec 15, 2021 Maintainer

Uh oh!

mposolda Dec 15, 2021 Maintainer

Uh oh!

Uh oh!

Uh oh!

mposolda Dec 17, 2021 Maintainer

Uh oh!

mposolda Jan 18, 2022 Maintainer

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

stianst
Dec 15, 2021
Maintainer

Replies: 8 comments 18 replies

mposolda Dec 15, 2021
Maintainer

stianst Dec 15, 2021
Maintainer Author

sschu Dec 16, 2021
Collaborator

mposolda
Dec 15, 2021
Maintainer

mposolda Dec 15, 2021
Maintainer

mposolda Dec 15, 2021
Maintainer

mposolda Dec 17, 2021
Maintainer

mposolda
Jan 18, 2022
Maintainer