search
About CoherentAPI referenceSupportYouTube

Automated secret rotation (OAuth 2.0)

circle-info

Since this document was published, we have upgraded the version of Keycloak used with Spark. The steps below may be different after this upgrade.

This article covers automated secret rotation for both Keycloak Clients and Keycloak OIDC Identity providers. The recommended approach from IEFT RFC 6749arrow-up-right is to use Client Credentials grant (OAuth 2.0).

We strongly discourage the use of the Resource Owner Password Credentials Grant (ROPC) method, which has been officially declared obsolete by the OAuth working group.

hashtag
Create and configure Client Credentials

  1. Login to the target Spark tenant. Access the Keycloak console from the User menu.

  2. Log into the Keycloak Admin Console using your admin credentials.

  3. In the left pane, click on Clients.

  4. In the right corner of the Clients page, click Create.

  5. Fill in the Client ID field with a memorable name, select openid-connect as the Client Protocol, and click Save. The browser will redirect to the newly created client page.

  6. Set the Enabled to ON, Access Type to confidential, Service Accounts Enabled to ON. Ensure all the other settings are set to OFF and click Save.

  7. Navigate to the Scope tab and switch the Full Scope Allowed setting to OFF.

  8. Configure the following properties:

    • In the Client Roles list select realm-management.

    • In the Available Roles section select manage-identity-providers and manage-clients.

    • Click on Add selected button.

hashtag
Find the Client Credentials Service ID

  1. Login to the target Spark tenant. Access the Keycloak console from the User menu.

  2. Log into the Keycloak Admin Console using your admin credentials.

  3. On the Clients page select the Credentials tab and copy the Secret.

  4. Open Postman or any other API testing platform.

  5. Fill in or select the following values:

    • Method: POST

    • URL: {The Keycloak token endpoint URL from Step 1}

    In the Body tab, make sure the format is set to x-www-form-urlencoded and add the following key/value pairs:

    • grant_type: client_credentials

    • client_id: {The Client ID you created in Step 5 under Create and configure Client Credentials}

    • client_secret: {The secret from Step 2}

    Click Send.

  6. Copy the Access token from the response body. The token is needed in step 7.

  7. Open a new browser tab, navigate to https://jwt.msarrow-up-right, and paste the access token.

  8. Copy sub (subject) claim. Note that roles are not specified in the decoded token.

hashtag
Assign necessary permission to the Client Credentials

  1. In Keycloak in left tab Manage section click on Users.

  2. On the user page click on View all users.

  3. Click on any user in ID column.

  4. In the browser navigate pane, replace the user id with id copied in step 7 of Find the Client Credentials Service ID section and hit enter.

  5. Click on the Role Mappings.

  6. Configure the following properties:

    • In the Client Roles list select realm-management.

    • In the Available Roles list select manage-clients and manage-identity-providers.

    • Click Add selected.

  7. Repeat steps in the section Find the Client Credentials Service ID and notice the access tokens contains all necessary scopes:

hashtag
Generate a new client secret for a Keycloak client

  1. Repeat all the steps in the section Create and configure Client Credentials to create a new client with name Test as an example.

  2. Copy the ID in browser navigate pane.

  3. Create a new request in postman, fill in and select the following values:

    • Method: POST

    • URL: https://keycloak.{environment}/auth/admin/realms/{tenant}/clients/{ID from previous step}/client-secret

    In the Auth tab, set up the authorization headers

    • Type: Bearer Token

    • Token: {The token received in step 7 in “Assign permission to the Client Credentials” section}

    Click Send.

  4. The client secret has been changed.

hashtag
Replace the secret for an OIDC provider

  1. In Keycloak click on Identity Providers.

  2. Click on provider to change.

  3. Copy the Alias.

  4. Create a new request in Postman, fill in and select the following values:

    • Method: GET

    • URL: https://keycloak.{environment}/auth/admin/realms/{tenant}/identity-provider/instances/{alias from step 3}In the Auth tab, set up the authorization header:

    In the Auth tab, set up the authorization header:

    • Type: Bearer Token

    • Token: {The token received in step 7 in “Assign permission to the Client Credentials” section}

  5. Perform the following steps:

    • Copy the response body from the previous step and paste it in the body section.

    • Replace the value of the clientSecret field with the client secret.

    • Change the HTTP method to PUT.

    • Click Send.

Last updated