第8章 Vault SPI
8.1. Vault provider
You can use a vault SPI from org.keycloak.vault
package to write custom extension for Red Hat Single Sign-On to connect to arbitrary vault implementation.
The built-in files-plaintext
provider is an example of the implementation of this SPI. In general the following rules apply:
-
To prevent a secret from leaking across realms, you may want to isolate or limit the secrets that can be retrieved by a realm. In that case, your provider should take into account the realm name when looking up secrets, for example by prefixing entries with the realm name. For example, an expression
${vault.key}
would then evaluate generally to different entry names, depending on whether it was used in a realm A or realm B. To differentiate between realms, the realm needs to be passed to the createdVaultProvider
instance fromVaultProviderFactory.create()
method where it is available from theKeycloakSession
parameter. -
The vault provider needs to implement a single method
obtainSecret
that returns aVaultRawSecret
for the given secret name. That class holds the representation of the secret either inbyte[]
orByteBuffer
and is expected to convert between the two upon demand. Note that this buffer would be discarded after usage as explained below.
For details on how to package and deploy a custom provider refer to the Service Provider Interfaces chapter.