diff --git a/docs/documentation/server_admin/images/client-federated-jwt.png b/docs/documentation/server_admin/images/client-federated-jwt.png new file mode 100644 index 00000000000..7b408f4401b Binary files /dev/null and b/docs/documentation/server_admin/images/client-federated-jwt.png differ diff --git a/docs/documentation/server_admin/images/spiffe-add-identity-provider.png b/docs/documentation/server_admin/images/spiffe-add-identity-provider.png new file mode 100644 index 00000000000..7baaff0c962 Binary files /dev/null and b/docs/documentation/server_admin/images/spiffe-add-identity-provider.png differ diff --git a/docs/documentation/server_admin/topics.adoc b/docs/documentation/server_admin/topics.adoc index 2cbd1ccc961..ae774bae247 100644 --- a/docs/documentation/server_admin/topics.adoc +++ b/docs/documentation/server_admin/topics.adoc @@ -47,6 +47,7 @@ include::topics/identity-broker/social/twitter.adoc[] include::topics/identity-broker/oidc.adoc[] include::topics/identity-broker/oauth2.adoc[] include::topics/identity-broker/saml.adoc[] +include::topics/identity-broker/spiffe.adoc[] include::topics/identity-broker/suggested.adoc[] include::topics/identity-broker/mappers.adoc[] include::topics/identity-broker/session-data.adoc[] diff --git a/docs/documentation/server_admin/topics/clients/oidc/con-confidential-client-credentials.adoc b/docs/documentation/server_admin/topics/clients/oidc/con-confidential-client-credentials.adoc index 251a4b18e00..35a67278388 100644 --- a/docs/documentation/server_admin/topics/clients/oidc/con-confidential-client-credentials.adoc +++ b/docs/documentation/server_admin/topics/clients/oidc/con-confidential-client-credentials.adoc @@ -14,10 +14,10 @@ The *Client Authenticator* drop-down list specifies the type of credential to us This choice is the default setting. The secret is automatically generated. Click *Regenerate* to recreate the secret if necessary. -.Signed JWT +*Signed JWT issued by the client* image:images/client-credentials-jwt.png[Signed JWT] -*Signed JWT* is "Signed JSON Web Token". +*Signed JWT* allows a client to authenticate with self-signed client assertions. This enables the client to authenticate without a shared secret. In this authenticator you can enforce the *Signature algorithm* used by the client (any algorithm is valid by default) and the *Max expiration* allowed for the JWT token (tokens received after this period will not be accepted because they are too old, note that tokens should be issued right before the authentication, 60 seconds by default). @@ -59,6 +59,32 @@ https://myhost.com/myapp/k_jwks See link:{developerguide_link}[{developerguide_name}] for more details. +*Signed JWT issued by an Identity Provider* + +:tech_feature_name: Signed JWT issued by an Identity Provider +:tech_feature_id: client-auth-federated +include::../../../topics/templates/techpreview.adoc[] + +*Signed JWT* allows a client to authenticate with client assertions issued by an identity provider. Example use-cases +include: + +* Client assertion issued by an OpenID Connect provider +* SPIFFE JWT SVIDs +* Kubernetes service accounts + +Before using this authentication mechanism, an identity provider capable of verifying client assertions should be configured. + +The identity providers which support client assertions are: + +* <<_identity_broker_oidc,OpenID Connect>> (support for client assertions must be enabled) +* <<_identity_broker_spiffe,SPIFFE>> + +image:images/client-federated-jwt.png[] + +* Identity provider - the alias of the identity provider to use +* Federated subject - the external client id for the client (value of the `sub` claim of the client assertion) + + *Signed JWT with Client Secret* If you select this option, you can use a JWT signed by client secret instead of the private key. diff --git a/docs/documentation/server_admin/topics/identity-broker/oidc.adoc b/docs/documentation/server_admin/topics/identity-broker/oidc.adoc index 06894528a1c..95d7c7f8c5f 100644 --- a/docs/documentation/server_admin/topics/identity-broker/oidc.adoc +++ b/docs/documentation/server_admin/topics/identity-broker/oidc.adoc @@ -85,6 +85,12 @@ If the user is unauthenticated in the IDP, the client still receives a `login_re | Define the query parameters to be forwarded to an external AS from the initial authorization request sent to the authorization endpoint. Multiple parameters can be entered, separated by comma (,). The parameters available to forward are any non OpenID Connect/OAuth standard parameter or standard parameters that are available as a client note from the authentication session. +|Supports client assertions +|This setting enables support for using client assertions issued by the provider to authenticate clients. Validate Signatures must be enabled as well. + +|Allows client assertions to be re-used +|By default, a client assertion can not be used multiple times. If the client is not able to retrieve a new client assertion for each request this option can be enabled to allow re-use of the same client assertion. + |=== You can import all this configuration data by providing a URL or file that points to OpenID Provider Metadata. If you connect to a {project_name} external IDP, you can import the IDP settings from `{kc_realms_path}/{realm-name}/.well-known/openid-configuration`. This link is a JSON document describing metadata about the IDP. diff --git a/docs/documentation/server_admin/topics/identity-broker/spiffe.adoc b/docs/documentation/server_admin/topics/identity-broker/spiffe.adoc new file mode 100644 index 00000000000..f8f34a7ed41 --- /dev/null +++ b/docs/documentation/server_admin/topics/identity-broker/spiffe.adoc @@ -0,0 +1,32 @@ + +[[_identity_broker_spiffe]] +=== SPIFFE identity providers + +:tech_feature_name: SPIFFE +:tech_feature_id: spiffe +include::../../topics/templates/techpreview.adoc[] + +A SPIFFE identity provider supports authenticating clients with SPIFFE JWT SVIDs. + +.Procedure +. Click *Identity Providers* in the menu. +. From the `Add provider` list, select `SPIFFE`. ++ +.Add SPIFFE provider +image:images/spiffe-add-identity-provider.png[Add SPIFFE Provider] ++ +. Enter your initial configuration options. ++ +.SPIFFE settings +|=== +|Configuration|Description + +|Alias +|The alias for the identity provider is used to link a client to the provider + +|SPIFFE Trust Domain +|The SPIFFE Trust domain (for example `spiffe://my-trust-domain`) + +|SPIFFE Bundle Endpoint +|`https` URL for the SPIFFE Bundle Endpoint where the SPIFFE servers public keys are exposed +|=== diff --git a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties index 8ca92bce3d1..aacd84c2ca2 100644 --- a/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties +++ b/js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties @@ -936,7 +936,7 @@ custom=Custom Attribute... keyTab=Key tab addSamlProvider=Add SAML provider addSpiffeProvider=Add SPIFFE provider -spiffeTrustDomain=SPIFFE Trust Domain name +spiffeTrustDomain=SPIFFE Trust Domain spiffeBundleEndpoint=SPIFFE Bundle Endpoint permission=Permission saveEventListeners=Save Event Listeners diff --git a/services/src/main/java/org/keycloak/broker/spiffe/SpiffeIdentityProvider.java b/services/src/main/java/org/keycloak/broker/spiffe/SpiffeIdentityProvider.java index 165255a52e8..c695223a968 100644 --- a/services/src/main/java/org/keycloak/broker/spiffe/SpiffeIdentityProvider.java +++ b/services/src/main/java/org/keycloak/broker/spiffe/SpiffeIdentityProvider.java @@ -26,7 +26,6 @@ import org.keycloak.models.UserSessionModel; import org.keycloak.representations.JsonWebToken; import org.keycloak.sessions.AuthenticationSessionModel; -import java.net.URI; import java.nio.charset.StandardCharsets; /**