Add support for signed JWT (client assertion) authentication in Java admin client

[gim-]

Description

Current admin client implementation only supports 3 options for authentication:

• Basic username & password - usually considered insecure
• Client ID and client secret - good and simple option, but not most secure
• Already existing access token - access token has to be managed outside of the client, and the client instance has to be recreated after every access token expiration

But the most secure way for client authentication, with signed JWT, is not supported, and we'd like to see it implemented or at least be able to override default TokenManager implementation with our own and pass it to the admin client.

Discussion

No response

Motivation

One of our client applications is using Keycloak java admin client to make changes in Keycloak realms based on all kind of business events. Though one of the security requirements in the organisation is to only use signed JWT (client assertion) for client authentication. Basic and client secret are discouraged.

Details

I believe there are 2 things that could be done to improve this and make it future-proof:

• Add a way to inject a custom TokenManager implementation into Keycloak instance.
• Provide out-of-the-box TokenManager implementation that supports signed JWT authentication and manages access token lifecycle automatically

I'm open to contributing by implementing this.

[mposolda]

PR would be welcome for this. I think the option (2) will be nice (make sure that OOTB implementation works and allow to authenticate with signed JWT). It may probably need some configuration options on keycloak-admin-client . Maybe using the keystore? This is what is currently supported by the authz-client : https://www.keycloak.org/securing-apps/authz-client#_client_authentication_with_signed_jwt

Note that you will need to send PR to https://github.com/keycloak/keycloak to update the admin-client here (it will be then later synced to keycloak-client afterwards. See CONTRIBUTING.md guide for the details).

[SlavikZ]

It would be great to have such a possibility in the keycloak admin client.
By the way, connecting to the keycloak with the signed JWT in the current keycloak admin client is possible. Still, the way looks hacky—you must pass a custom implementation of ResteasyClient that returns ResteasyWebTarget with a configured ClientRequestFilter, where you have to inject the required client_assertion_type and client_assertion fields into the token endpoint POST request.