Default Keycloak setup is not IS-10 compliant

[firthmj]

If a Keycloak server is set up following the INFO-002 guidance, the result will not be compliant with IS-10. In particular, for this section:

https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.1._Behaviour_-_Authorization_Servers.html#client-registration

The default Keycloak behaviour does not require an Initial Access Token for client_credentials registrations. Also, unless I'm misunderstanding what is meant, it doesn't generate a client_secret for client_credentials registrations either.

It would be good to add some guidance on how to make Keycloak compliant to IS-10 to the INFO-002 text, assuming it is possible to make it compliant.

[firthmj]

It seems I was wrong on the second point - for the example flow in INFO-002 a client_secret shouldn't be generated as a token_endpoint_auth_method is present in the request, so Keycloak was following that correctly.

Having a worked example of how to request a token in the case where a client_secret is generated/required would probably be useful (i.e. what changes are there in the client_assertion_type and client_assertion etc for this case)

[lo-simon]

client_secret is used for confidential clients, in our examples, the Controller is a public client, i.e. no client_secret. Although the Node is a confidential client, to prevent the middle man attack of using client_credentials flow, such as leak of client_secret, IS-10 recommends using private_key_jwt for its authenticate method token_endpoint_auth_method, which will also not use client_secret.

The client_assertion is required when using private_key_jwt and not related to the client_secret.

If a new example is required, I would suggest adding a confidential Controller, using client_secret_basic for its authenticate method, and use of client_secret while exchanging authorization code for the access token.

[firthmj]

I think the client secret issue is actually a confusing contradiction between:

https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.1._Behaviour_-_Authorization_Servers.html#client-registration

and

https://specs.amwa.tv/is-10/releases/v1.0.0/docs/4.2._Behaviour_-_Clients.html#client-credentials

The former says "an Authorization Server MUST generate a Client ID and, in the case of a confidential client, a client secret", but the latter discusses and prefers the private_key_jwt method, where the client_secret is not relevant. So I think saying "an Authorization Server MUST generate a client secret in the case of a confidential client", which is what the first quote says if reordered, is incorrect.

Because most people read the spec in order, they will read the 4.1 text before the 4.2 section.

[peterbrightwell]

Part of wider review of BCP-003 suite.
Architecture Review Group review: place on backlog

[jonathan-r-thorpe]

After discussion with @lo-simon we agree with @firthmj that there is a contradiction between the two sections of IS-10.

This could be fixed in the Authorization Server document's Client Registration section by changing:

"After successful registration, an Authorization Server MUST generate a Client ID and, in the case of a confidential client, a client secret"

to

"After successful registration, an Authorization Server MUST generate a Client ID. In the case of a confidential client using HTTP Basic Authentication a client secret MUST also be generated."

[peterbrightwell]

@jonathan-r-thorpe can you do a PR?