Monday, 12 October 2015

Authentication of clients with signed JWT

Until version 1.4 the confidential OpenID Connect client applications can be authenticated just with client ID and client secret. Client secret is shared between client application and Keycloak server and hence is known to both parties.

From the 1.5 version, we added support for authentication with private/public key pair. It's based on the RFC 7523 . The client authentication works in a way, that the client/adapter generates the Json Web Token (JWT) and signs it with his private key. The Keycloak server then verifies the signed JWT with the client's public key and authenticates client based on it.

The private key of client can be generated by Keycloak server and saved to keystore file on client side, or you can use existing private key of client and upload just certificate/public key to Keycloak server. In both cases, there is just client certificate and public key saved in Keycloak database.

There is increased security in this kind of client authentication in comparison to client secret, as the private key of client is not saved in Keycloak database and it's not sent over the network during client authentication.

More than that, we added support for pluggable client authentication. So if it's still not sufficient for you to authenticate your client with client secret or with signed JWT, you can implement and plug your own authenticator and configure it in admin console . See docs for more details.


  1. Replies
    1. Docs have moved. Try

    2. seems like docs are moving far too often :/ please try to at least keep the structure working or redirecting! It's nearly unusable atm...

  2. Hi,

    I have a situation where I'd like a client application to retrieve a token to use a REST service. But the token should be given only if the IdP can authenticate the client. The client application should authenticate using a certificate against the Identity Provider (Microsoft ADFS).

    Is this a common situation? Does the above cover this situation?


Please only add comments directly associated with the post. For general questions use the Keycloak user mailing list.