Package org.keycloak.broker.spiffe

package org.keycloak.broker.spiffe
  • Class
    Description
    SpiffeBundleEndpointLoader
     
    SpiffeConstants
     
    SpiffeIdentityProvider
    Implementation for https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/ Main differences for SPIFFE JWT SVIDs and regular client assertions: jwt-spiffe client assertion type iss claim is optional, uses SPIFFE IDs, which includes trust domain instead jti claim is optional, and SPIFFE vendors re-use/cache tokens sub is a SPIFFE ID with the syntax spiffe://trust-domain/workload-identity Keys are fetched from a SPIFFE bundle endpoint, where the JWKS has additional SPIFFE specific fields (spiffe_sequence and spiffe_refresh_hint, the JWK does not set the alg>
    SpiffeIdentityProviderConfig
     
    SpiffeIdentityProviderFactory