There are different ways how Keycloak can authenticate a client (that is, not the user but the backend or frontend). So far we use a client secret but we also need to support signed JWT.
Here, the client (!) generates a private/public key pair, creates a JWT and signs it with the private key. Additionally, Keycloak needs to know about the public key. There are two options: 1) Upload the key manually. 2) An admin can configure a URL where Keycloak can fetch the cert. This allows rotating keys without having to reconfigure Keycloak and is therefore preferred.
I've made a working PoC how this can be achieved: https://github.com/bakdata/python-keycloak-oauth/pull/5/files
I think the following things are missing:
- Endpoint for the public key
- A utlitly to read a cert and extract the public key
- An abstraction over the auth_method (maybe we can just add all those arguments to client_kwargs already?)
There are different ways how Keycloak can authenticate a client (that is, not the user but the backend or frontend). So far we use a client secret but we also need to support signed JWT.
Here, the client (!) generates a private/public key pair, creates a JWT and signs it with the private key. Additionally, Keycloak needs to know about the public key. There are two options: 1) Upload the key manually. 2) An admin can configure a URL where Keycloak can fetch the cert. This allows rotating keys without having to reconfigure Keycloak and is therefore preferred.
I've made a working PoC how this can be achieved: https://github.com/bakdata/python-keycloak-oauth/pull/5/files
I think the following things are missing: