Hello,
Is there a way to retrieve a Keycloak client’s client_secret from the Kubernetes files plain-text vault provider ?
Already did it for the SMTP password, it’s working fine, but I’d like something like this :
The goal is to be able to link a Kubernetes secret with both Keycloak to manage the OIDC client, and the actual web app that is client
In the documentation it is indeed said that only the fields below are able to use this feature. :
- SMTP password
- LDAP bind credential
- OIDC identity provider secret
Is it in the backlog somewhere a plan to add this feature ?
Sorry if I am not clear, but thanks in advance for your help,
Best regards,
This is not yet supported by Keycloak. There is somewhere a discussion item about client secrets, not only serving it from a vault, but also other aspects.
See somewhere here:
We also really wish this was a feature. Wondering what the complexity involved in this would be?
I noticed Release Notes and https://github.com/keycloak/keycloak/pull/39650.
Perhaps this is now delivered in 26.6.0 and later.
Life will be easier by avoiding client secrets.
Check if the Federated Client Authentication feature [1] works for you, or you can also use JWT client authentication
[1] Federated client authentication - no more secrets - Keycloak
I’m not sure why an administrator needs access to the client secret in the first place. For example, an administrator can run a credential reset for a user, the user sets a secret passphrase, and the administrator cannot retrieve that secret passphrase.
