Database hardening

For my usecase, I have a relational database as a backend for Keycloak. Some secrets such as Oauth2 client secrets are stored in the database a clear text. Do you have any recommendation to harden the DB to improve security?

On the other hand, what would be the best practise from security perspective for deployment?


We have Vault support in later versions of Keycloak. However I see that
it doesn’t (yet) support validation/storage of client secrets per .

So if the client secret is a concern, the more secure alternative is to
authenticate clients with the private key JWT. For the details, see
and OpenID Connect specification chapter about client authentication.


Thanks Marek.
A side tracked question: in Keycloak, would it be feasible to build an extension so that the secrets from client will be encrypted before it is processed downstream and it will be decrypted after it is read from DB? If it is feasible, can you please kindly point me to some documents?
Thanks again!

Any good news about the ability to manage client secrets using a Vault ? Either from the development team or the community ?

Does any has already investigated this point and should be able to share some clues about how to implement a Vault provider to manage client secrets ?