org.keycloak.broker.spiffe (Keycloak Docs Distribution 999.0.0-SNAPSHOT API)

package org.keycloak.broker.spiffe

Class

Description

SpiffeBundleEndpointLoader

SpiffeConstants

SpiffeIdentityProvider

Implementation for https://datatracker.ietf.org/doc/draft-schwenkschuster-oauth-spiffe-client-auth/ Main differences for SPIFFE JWT SVIDs and regular client assertions: jwt-spiffe client assertion type iss claim is optional, uses SPIFFE IDs, which includes trust domain instead jti claim is optional, and SPIFFE vendors re-use/cache tokens sub is a SPIFFE ID with the syntax spiffe://trust-domain/workload-identity Keys are fetched from a SPIFFE bundle endpoint, where the JWKS has additional SPIFFE specific fields (spiffe_sequence and spiffe_refresh_hint, the JWK does not set the alg>

SpiffeIdentityProviderConfig

SpiffeIdentityProviderFactory