For integration with an external company, due to their limitations, we would like to skip automatic secret creation in the Keycloak UI and set it programmatically using the Keycloak Admin REST API. I believe this is a backward-compatible approach, but I would still like to confirm: could this lead to any potential compatibility issues in the future, or is it completely safe??
To say it with the words of Niels Bohr, Nobel Laureate in Quantum-Physics & father of the atomic model:
It’s difficult to make predictions, especially about the future.
The default behavior in OAuth2 is, that the authorization server creates the client secret.
When you say you want to use the Keycloak Admin REST API - there isn’t a method to set the secret from outside for an existing client!
You can skip automatic creation and set values only if you import realms as JSON files on Keycloak initial bootstrap and keycloak import feature enabled. There you can use placeholders as ENV name and set your values in k8s secrets or vault.
“clientSecret” : "${ENV_CLIENT_SECRET}
Thanks, great response - the one I expected! But Niels Bohr was not correct about the atomic model; it was too simplified and failed to explain the wave-particle duality of electrons. So, I assume that there is no strict guarantee regarding possible change of secret length, entropy, etc. “policies” (like code related things) in the way so some external secret could be considered incorrect in the future.