Secure an Azure AD IdP (OIDC) with a certificate instead of a secret


I have successfully configured an identity provider allowing my Keycloak clients to connect through our Azure AD.

I did this with the usual client id/secret pair, but while doing so I saw on the AAD UI that you could add certificates along secrets, and although the possibility of not needing to refresh the secret every few months is very pleasant, I find nothing on Keycloak that would help me achieve that.

So… Do you know if it is possible to use certificates instead of secrets to configure an AAD IdP on Keycloak ?

Thank you for your time.
Julien L.


For the record, I tried using the “JWT signed with private key” value for the “Client authentication” option of my IdP.
I added the corresponding RSA certificate of my keycloak realm to my AAD App Registration, but got the following error (server log) when trying to authenticate as any user :

AADSTS700027: The certificate with identifier used to sign the client assertion is not registered on application. [Reason - The key was not found., Please visit the Azure Portal, Graph Explorer or directly use MS Graph to see configured keys for app Id ‘4cf948df-417b-4fc6-8d32-0ea54e6a51c8’. Review the documentation at [URL] to determine the corresponding service endpoint and [URL] to build a query request URL, such as ‘[URL]’]

I tried different settings/certificates but I never managed to go further than that…

Any help is appreciated.

The absence of reply makes me wonder…
If no one else is asking this question, and if there is no possibilty to achieve this (using certificates instead of secret strings), does it mean the secret strings are best practices ? Or is it because it is too complex to implement ?