Hi,
Is there any way we can automate the realm keys and client secrets ?
For realm Keys I believe we can use the admin rest api to generate new keys: POST /{realm}/components
For client secrets I believe we can use the admin rest api : POST /{realm}/clients/{id}/client-secret
Probably we can automate this using a few scripts. But is this the preferred way?
Please suggest.
Thanks
Lakshay
Keycloak does support automated client secret rotation since version 18, see docs for details.
For realm keys, your approach might be a way to go.
Thanks dasniko,
I believe you are referring to the below admin APIs for client secret rotation:
- GET /{realm}/clients/{id}/client-secret/rotated
- DELETE /{realm}/clients/{id}/client-secret/rotated
Where did I say that I refer to some Admin API endpoints? Never…
I’m referring to the feature “client secret rotation” and told you to see the docs. As this might be too difficult for some users, here’s the link: Server Administration Guide
With this feature, you can configure automated secret rotation, w/o calling the API. But you can call the API on demand, but that’s not what you originally asked for.
1 Like
Is this still true that Keycloak does not rotate the realm keys (keys used to sign access tokens) on its own or on a default cadence?