Asterisks in client secret field

Hello,

I am getting “no valid access_token” errors when trying to use OpenID Connect identity provider, which can imply client secret might be invalid.

When checking it I noticed that string of 10 asterisks is shown instead of client secret field. Even if I insert correct client secret and click “Save” in Web console, next time I see again 10 asterisks.

Keycloak version 12.0.2, running in standalone mode. How do I make it store and use correct client secret?

Thanks.

How can you insert client secret? It is read only field in the web console and user can only regenerate secret, but not set own value:

You may have some old Keycloak or you are not using Keycloak IDP.

The IdP is OpenID Connect v1.0

Keycloak is 12.0.2 (not too ancient, I hope). And the part of configuration looks like:

and yes, it’s NOT read-only. If I enter something like '${vault.ID}, it remains as I entered it. If I enter secret as it is, alphanumeric, it’s turned into asterisks.

How am I expected to have correct client secret in such a case?

Can you click the ‘eye’ button on the right hand side of the text box to reveal the Client Secret - it looks like it’s being protected (shown as asterixes) unless you actively click to view it.

Nope. It’s displayed as centered (big) dots. If I click the eye, it’s displayed as asterisks instead.

Before the click:
before

…and after (I can’t insert more than 1 media file in comment)
after

Odd! Have just tested this after saving and I see the same 10 asterisks (previously did without clicking save), I can only guess that the goal is to never reveal that secret once it’s first created but if that’s the case then the UI needs some indication of that.

Would be worth posting the same comment in the Keycloak Jira - https://issues.redhat.com/projects/KEYCLOAK/issues/KEYCLOAK-17508?filter=allopenissues - to me it seems either a bug (I haven’t tested an actual client to see if the secret is being maintained) or a UI bug at the least

In other words, there’s no known way to enter correct client secret?

Sure, you are talking about Identity Provider Client secret and I was talking about actual OIDC Client secret (my bad). I’m also guessing that the goal is to never reveal that secret once is saved. There is a way to enter correct client secret, but there is no (easy) way to retrieve it.

I would say “no valid access_token” may indicates many problems: wrong time, incorrect issuer, … It doesn’t need to be a problem with secret. I would check Keycloak log first.

OK, what is the way to enter correct client secret into an existing IdP entry?

Thanks.

You mean that the actual secret I enter is actually saved correctly?

Yes, it was saved correctly if you typed it correctly. But you can’t verify it in the Web console visually, because API sends masked secret value ******* back to console:

Only non asci characters in the secret can be a problem, because they may/may not be URL encoded/decoded - it really depends on the implementation.

You can also check in the database as it looks like it’s stored in plain text in there, if you look in the table IDENTITY_PROVIDER_CONFIG you’ll see a value for a row with NAME=clientSecret, eg:

1 Like