Add support for looking up client secrets via Vault SPI#39650
Conversation
e70f337 to
2cdc36d
Compare
|
Hi @mhajas, I noticed that you had opened an issue requesting this feature a few years ago. I’m interested in contributing it and would be glad to continue working on it. Before proceeding, I wanted to check if this is still a feature you'd consider including in Keycloak? |
|
Thank you for the PR @tsaarni. I would say it still makes sense to include this since it is highly upvoted issue. I would be happy to help or find someone else who would be willing to help. I will have a look at the changes later this week. Let me know if you need something else at this stage. |
f45b82d to
142b5c6
Compare
142b5c6 to
696e7f5
Compare
|
I've now marked the PR as ready for reviews. I still have a couple of basic question regarding the UI changes. (1) I didn't add an option to set the client secret during client creation. As a result, the client is always created with randomly generated client secret (as before), even if administrator already knows they want to use a vault reference. In this case, they'll need to first create the client with a random secret, then go to the "Credentials" tab to configure the vault reference. Do you think this is acceptable from a user experience perspective? (2) In he "Credentials" tab, there was previously a separator line between authenticator selector and the client secret field: I've removed that separator and moved the Client Secret field above the "Save" button, to make i more consistent with the layout used for the other authenticators: I haven't updated the documentation with a new UI screenshot yet, as I'd like to agree on the approach first. (3) Side effect of this change is that administrators can now set any specific client secret directly through the UI, which wasn’t previously possible. This capability has existed via the REST API, but not in the UI until now. Hope this is acceptable.
Lastly, I haven’t used React Hook Form before, but I tried to follow the existing patterns used elsewhere in the code. |
696e7f5 to
9afda53
Compare
|
I've updated the PR and addressed the (4) client config download issue I had. I’m looking forward to receive reviews and happy to address any comments to help get this merged. |
b315ffb to
8b137ab
Compare
8b137ab to
4e97510
Compare
|
I've rebased the PR. |
aea4824 to
638e422
Compare
638e422 to
06e3fff
Compare
If vault SPI is defined, lookup client secret (and rotated client secret) from vault implementation. Allow editing client secret to set vault reference in the UI. Signed-off-by: Tero Saarni <tero.saarni@est.tech>
06e3fff to
3f915a4
Compare
rmartinc
left a comment
There was a problem hiding this comment.
Thanks @tsaarni for the PR!
I have added some comments. I worked with this branch for the review. So you can take whatever you need from that extra test commit i played with.
I have doubts about the admin console change. Asking @edewit if he can have a better idea.
Probably, when the PR is ready will need a note in the release notes about the change. But we can talk about that later.
| <Controller | ||
| name="secret" | ||
| control={form.control} | ||
| render={({ field }) => <PasswordInput id={id} {...field} />} | ||
| /> |
There was a problem hiding this comment.
With this change we are allowing editing any secret (even for view only users that cannot submit). I think that this was initially read-only because the idea is only allow the generate button. This way the passwords are secure/complex. Maybe we should maintain it read-only initially and allow editing when changed to visible (only for admins that can edit). Not sure about this. I thought about showing a message when toggle to visible, commenting about complexity and so on and so forth... But maybe it's too much.
But I would at least present it read-only and just enable editing when toggled to visible if the admin has permissions for edit (if not it remains read-only).
Change the documentation accordingly if you think my proposal is better.
There was a problem hiding this comment.
I think that this was initially read-only because the idea is only allow the generate button. This way the passwords are secure/complex.
Likely true, though the client secrets were possible to change via REST API anyways.
But I would at least present it read-only and just enable editing when toggled to visible if the admin has permissions for edit (if not it remains read-only).
Thanks! I had missed the readOnly={!isManager}. Regarding being editable only after toggling visibility, I suppose <PasswordInput> component remains editable by design even when password is not revealed?
There was a problem hiding this comment.
I was thinking about something similar to rmartinc@d59fa46. I mean, by default is read-only, and only when revealed is also editable. But I'm not sure if I'm just overthinking and complicating the UI. We can go even farther and can show a warning or similar before make it editable with this idea.
@edewit @mposolda WDYT? Do we always allow modifying the secret or just when revealing it? I was trying to make the generate button the easiest path except if you really want to type the secret (because you want a vault or any other reason).
There was a problem hiding this comment.
I think it's fine to leave it like this that when you want to edit it you can only do that when it's viewable, otherwise we would have to have 2 fields to confirm the new password. One thing to note is instead of using <Control it would be better to use
<PasswordControl
name="secret"
isDisabled={!isManager}
/>
There was a problem hiding this comment.
Thanks @edewit! I think this is using directly the PasswordInput instead of the PasswordControl because there are more elements in the row (the copy and regenerate buttons and more things for the client secret rotation). And you need to change the PasswordControl to add everything inside it.
Then @tsaarni, if Erik thinks that it is OK like it is now, just change the the read-only for disabled (it's the same and I think that it works like the rest of fields) and that's all:
<Controller
name="secret"
control={form.control}
render={({ field }) => (
<PasswordInput id={id} {...field} isDisabled={!isManager} />
)}
/>There was a problem hiding this comment.
Thanks! I've changed from readOnly to isDisabled.
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
|
Big thanks for review @rmartinc! I incorporated everything from your commit, thanks for making it available :) |
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
There was a problem hiding this comment.
@tsaarni @rmartinc @edewit Thanks for the PR and review!
Added few minor comments inline.
Besides that, I am missing a bit a "Revert" button on the page with client credentials. This button was not present here before this PR as well (and is also missing for "X509" credential where it would also makes sense). But with disabled "Regenerate" button after doing some changes in client-secret, I am missing it a bit more now.
For example: Assume I want to edit client-secret by hand, so I would start typing something in the client-secret field. But then I decide I rather prefer to "Regenerate" secret instead of manually updating it. I cannot do that very easily (unless I delete it to previous value OR unless I go back from the client entirely OR unless I am first "Save" it and then "Regenerate" as next step, which all are not so great options from UX perspective IMO).
@tsaarni @rmartinc @edewit Curious for the feedback on this. If you think "Revert" button not needed, I am OK with accepting this without "revert" button (As I can see that "Revert" button can imply that "Regenerating" client secret could be also reverted, but it actually could not as REST request for regenerate was already saved and previous secret already lost. So "revert" button should be rather present/enabled just if Save button is enabled as well).
|
|
||
| @Override | ||
| public Map<String, Object> getAdapterConfiguration(ClientModel client) { | ||
| public Map<String, Object> getAdapterConfiguration(KeycloakSession session, ClientModel client) { |
There was a problem hiding this comment.
Minor: Should not this method use the same like ClientIdAndSecretAuthenticator.getAdapterConfiguration to actually obtain secret for adapters?
There was a problem hiding this comment.
Yep! I missed this one. It should also use the vault to get the secret.
There was a problem hiding this comment.
I only planned to add vault support for the client secret authenticator but I now tested the JWT client secret authenticator as well and it's not working with vault references. Not sure what's needed to implement vault support for that as well.
There was a problem hiding this comment.
OK, but then this should be at least managed as follow-up. The JWTClientSecretAuthentication is just an authenticator that uses the secret as the HMAC to sign... We would need also tests for this. @mposolda WDYT?
There was a problem hiding this comment.
Ah, ok. It would be good to update that one as well for consistency. It seems this authenticator uses key, which is created from client-secret and secret is obtained in ClientMacSignatureVerifierContext (not 100% sure it is this class. You can likely doublecheck).
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
Signed-off-by: Tero Saarni <tero.saarni@est.tech>
|
I'm working on the button right now, so I will come back with a button bit later today (or admitting defeat and moving it to someone else to follow-up ;) ) |
This PR adds support for resolving client secrets via the Vault SPI, enabling retrieval from secure storage instead of storing them in plaintext in the database. While the Vault SPI has some usability limitations, this approach is less invasive than alternatives like hashing or introducing new encrypt/decrypt SPI. It also preserves the plaintext access to the secret, which is required by existing use cases.
Notes:
(1) At the moment, the admin console only supports generating new random client secrets. There is no way for administrators to specify a vault reference value. However, the Admin REST API does support setting the client secret explicitly, including reference values. To fully support this feature, the admin console will need to be extended to allow entering reference values as well. Note: If a new random client secret is generated via the admin console, it will overwrite the existing reference.
(2) The client secret rotation feature introduces additional complexity. Triggering rotation will overwrite any reference-based secret with a newly generated random secret.
(3) Since the client secret may be accessed frequently, using a remote Vault SPI implementation with network communication can introduce latency. To avoid repeated lookups, Vault SPI implementation may choose to add caching.
TODO
Fixes #13102