Skip to content

client-secret-rotation, allowing no expiration for new secret #12937

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
mpugge wants to merge 1 commit into from
+15 −9
Closed

client-secret-rotation, allowing no expiration for new secret #12937

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 14 additions & 8 deletions ...c/main/java/org/keycloak/services/clientpolicy/executor/ClientSecretRotationExecutor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,9 +159,14 @@ private void rotateSecret(ClientCRUDContext crudContext,
}

private void updatedSecretExpiration(OIDCClientSecretConfigWrapper clientConfigWrapper) {
clientConfigWrapper.setClientSecretExpirationTime(
Time.currentTime() + configuration.getExpirationPeriod());
logger.debugv("A new secret expiration is configured for client {0}. Expires at {1}", clientConfigWrapper.getId(), Time.toDate(clientConfigWrapper.getClientSecretExpirationTime()));
if (configuration.getExpirationPeriod()==0) {
clientConfigWrapper.setClientSecretExpirationTime(null);
logger.debugv("Secret expiration removed for client {0}", clientConfigWrapper.getId());
} else {
clientConfigWrapper.setClientSecretExpirationTime(
Time.currentTime() + configuration.getExpirationPeriod());
logger.debugv("A new secret expiration is configured for client {0}. Expires at {1}", clientConfigWrapper.getId(), Time.toDate(clientConfigWrapper.getClientSecretExpirationTime()));
}
}

private void updateClientConfigProperties(OIDCClientSecretConfigWrapper clientConfigWrapper) {
Expand Down Expand Up @@ -197,21 +202,22 @@ public static class Configuration extends ClientPolicyExecutorConfigurationRepre
@Override
public boolean validateConfig() {
logger.debugv("Validating configuration: [ expirationPeriod: {0}, rotatedExpirationPeriod: {1}, remainExpirationPeriod: {2} ]", expirationPeriod, rotatedExpirationPeriod, remainExpirationPeriod);
// expiration must be a positive value greater than 0 (seconds)
if (expirationPeriod <= 0) {
// expiration must be a positive value greater than 0 (seconds), or 0 for no expiration

if (expirationPeriod < 0) {
return false;
}

// rotated secret duration could not be bigger than the main secret
if (rotatedExpirationPeriod > expirationPeriod) {
if (expirationPeriod > 0 && rotatedExpirationPeriod > expirationPeriod) {
return false;
}

// remaining secret expiration period could not be bigger than main secret
if (remainExpirationPeriod > expirationPeriod) {
if (expirationPeriod > 0 && remainExpirationPeriod > expirationPeriod) {
return false;
}

return true;
}

Expand Down
2 changes: 1 addition & 1 deletion ...java/org/keycloak/services/clientpolicy/executor/ClientSecretRotationExecutorFactory.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ public class ClientSecretRotationExecutorFactory implements ClientPolicyExecutor
static {
ProviderConfigProperty secretExpirationPeriod = new ProviderConfigProperty(
SECRET_EXPIRATION_PERIOD, "Secret expiration",
"When the secret is rotated. The time frequency for generating a new secret. (In seconds)",
"When the secret is rotated. The time frequency for generating a new secret. When this is set to 0, the new secret will have no expiration (In seconds)",
ProviderConfigProperty.STRING_TYPE, DEFAULT_SECRET_EXPIRATION_PERIOD);
configProperties.add(secretExpirationPeriod);

Expand Down