Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default Keycloak setup is not IS-10 compliant #56

Open
firthmj opened this issue Mar 9, 2022 · 4 comments
Open

Default Keycloak setup is not IS-10 compliant #56

firthmj opened this issue Mar 9, 2022 · 4 comments

Comments

@firthmj
Copy link
Contributor

firthmj commented Mar 9, 2022
edited
Loading

If a Keycloak server is set up following the INFO-002 guidance, the result will not be compliant with IS-10. In particular, for this section:

https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.1._Behaviour_-_Authorization_Servers.html#client-registration

The default Keycloak behaviour does not require an Initial Access Token for client_credentials registrations. Also, unless I'm misunderstanding what is meant, it doesn't generate a client_secret for client_credentials registrations either.

It would be good to add some guidance on how to make Keycloak compliant to IS-10 to the INFO-002 text, assuming it is possible to make it compliant.
@firthmj
Copy link
Contributor Author

firthmj commented Mar 9, 2022

It seems I was wrong on the second point - for the example flow in INFO-002 a client_secret shouldn't be generated as a token_endpoint_auth_method is present in the request, so Keycloak was following that correctly.

Having a worked example of how to request a token in the case where a client_secret is generated/required would probably be useful (i.e. what changes are there in the client_assertion_type and client_assertion etc for this case)

@lo-simon
Copy link
Contributor

client_secret is used for confidential clients, in our examples, the Controller is a public client, i.e. no client_secret. Although the Node is a confidential client, to prevent the middle man attack of using client_credentials flow, such as leak of client_secret, IS-10 recommends using private_key_jwt for its authenticate method token_endpoint_auth_method, which will also not use client_secret.

The client_assertion is required when using private_key_jwt and not related to the client_secret.

If a new example is required, I would suggest adding a confidential Controller, using client_secret_basic for its authenticate method, and use of client_secret while exchanging authorization code for the access token.

@firthmj
Copy link
Contributor Author

firthmj commented Mar 14, 2022

I think the client secret issue is actually a confusing contradiction between:

https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.1._Behaviour_-_Authorization_Servers.html#client-registration

and

https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.2._Behaviour_-_Clients.html#client-credentials

The former says "an Authorization Server MUST generate a Client ID and, in the case of a confidential client, a client secret", but the latter discusses and prefers the private_key_jwt method, where the client_secret is not relevant. So I think saying "an Authorization Server MUST generate a client secret in the case of a confidential client", which is what the first quote says if reordered, is incorrect.

Because most people read the spec in order, they will read the 4.1 text before the 4.2 section.

@peterbrightwell
Copy link
Contributor

Part of wider review of BCP-003 suite.
Architecture Review Group review: place on backlog

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@peterbrightwell @firthmj @lo-simon