Documentation for federated client authentication

Closes #42721

Signed-off-by: stianst <stianst@gmail.com>

docs/documentation/server_admin/topics.adoc

@@ -47,6 +47,7 @@ include::topics/identity-broker/social/twitter.adoc[]
 include::topics/identity-broker/oidc.adoc[]
 include::topics/identity-broker/oauth2.adoc[]
 include::topics/identity-broker/saml.adoc[]
+include::topics/identity-broker/spiffe.adoc[]
 include::topics/identity-broker/suggested.adoc[]
 include::topics/identity-broker/mappers.adoc[]
 include::topics/identity-broker/session-data.adoc[]

docs/documentation/server_admin/topics/clients/oidc/con-confidential-client-credentials.adoc

@@ -14,10 +14,10 @@ The *Client Authenticator* drop-down list specifies the type of credential to us
 
 This choice is the default setting. The secret is automatically generated. Click *Regenerate* to recreate the secret if necessary.
 
-.Signed JWT
+*Signed JWT issued by the client*
 image:images/client-credentials-jwt.png[Signed JWT]
 
-*Signed JWT* is "Signed JSON Web Token".
+*Signed JWT* allows a client to authenticate with self-signed client assertions. This enables the client to authenticate without a shared secret.
 
 In this authenticator you can enforce the *Signature algorithm* used by the client (any algorithm is valid by default) and the *Max expiration* allowed for the JWT token (tokens received after this period will not be accepted because they are too old, note that tokens should be issued right before the authentication, 60 seconds by default).
 
@@ -59,6 +59,32 @@ https://myhost.com/myapp/k_jwks
 
 See link:{developerguide_link}[{developerguide_name}] for more details.
 
+*Signed JWT issued by an Identity Provider*
+
+:tech_feature_name: Signed JWT issued by an Identity Provider
+:tech_feature_id: client-auth-federated
+include::../../../topics/templates/techpreview.adoc[]
+
+*Signed JWT* allows a client to authenticate with client assertions issued by an identity provider. Example use-cases
+include:
+
+* Client assertion issued by an OpenID Connect provider
+* SPIFFE JWT SVIDs
+* Kubernetes service accounts
+
+Before using this authentication mechanism, an identity provider capable of verifying client assertions should be configured.
+
+The identity providers which support client assertions are:
+
+* <<_identity_broker_oidc,OpenID Connect>> (support for client assertions must be enabled)
+* <<_identity_broker_spiffe,SPIFFE>>
+
+image:images/client-federated-jwt.png[]
+
+* Identity provider - the alias of the identity provider to use
+* Federated subject - the external client id for the client (value of the `sub` claim of the client assertion)
+
+
 *Signed JWT with Client Secret*
 
 If you select this option, you can use a JWT signed by client secret instead of the private key.

docs/documentation/server_admin/topics/identity-broker/oidc.adoc

@@ -85,6 +85,12 @@ If the user is unauthenticated in the IDP, the client still receives a `login_re
 | Define the query parameters to be forwarded to an external AS from the initial authorization request sent to the authorization endpoint. Multiple parameters can be entered, separated by comma (,). The parameters available
 to forward are any non OpenID Connect/OAuth standard parameter or standard parameters that are available as a client note from the authentication session.
 
+|Supports client assertions
+|This setting enables support for using client assertions issued by the provider to authenticate clients. Validate Signatures must be enabled as well.
+
+|Allows client assertions to be re-used
+|By default, a client assertion can not be used multiple times. If the client is not able to retrieve a new client assertion for each request this option can be enabled to allow re-use of the same client assertion.
+
 |===
 
 You can import all this configuration data by providing a URL or file that points to OpenID Provider Metadata. If you connect to a {project_name} external IDP, you can import the IDP settings from `<root>{kc_realms_path}/{realm-name}/.well-known/openid-configuration`. This link is a JSON document describing metadata about the IDP.

docs/documentation/server_admin/topics/identity-broker/spiffe.adoc

@@ -0,0 +1,32 @@
+
+[[_identity_broker_spiffe]]
+=== SPIFFE identity providers
+
+:tech_feature_name: SPIFFE
+:tech_feature_id: spiffe
+include::../../topics/templates/techpreview.adoc[]
+
+A SPIFFE identity provider supports authenticating clients with SPIFFE JWT SVIDs.
+
+.Procedure
+. Click *Identity Providers* in the menu.
+. From the `Add provider` list, select `SPIFFE`.
++
+.Add SPIFFE provider
+image:images/spiffe-add-identity-provider.png[Add SPIFFE Provider]
++
+. Enter your initial configuration options.
++
+.SPIFFE settings
+|===
+|Configuration|Description
+
+|Alias
+|The alias for the identity provider is used to link a client to the provider
+
+|SPIFFE Trust Domain
+|The SPIFFE Trust domain (for example `spiffe://my-trust-domain`)
+
+|SPIFFE Bundle Endpoint
+|`https` URL for the SPIFFE Bundle Endpoint where the SPIFFE servers public keys are exposed
+|===

js/apps/admin-ui/maven-resources/theme/keycloak.v2/admin/messages/messages_en.properties

@@ -936,7 +936,7 @@ custom=Custom Attribute...
 keyTab=Key tab
 addSamlProvider=Add SAML provider
 addSpiffeProvider=Add SPIFFE provider
-spiffeTrustDomain=SPIFFE Trust Domain name
+spiffeTrustDomain=SPIFFE Trust Domain
 spiffeBundleEndpoint=SPIFFE Bundle Endpoint
 permission=Permission
 saveEventListeners=Save Event Listeners

services/src/main/java/org/keycloak/broker/spiffe/SpiffeIdentityProvider.java

@@ -26,7 +26,6 @@ import org.keycloak.models.UserSessionModel;
 import org.keycloak.representations.JsonWebToken;
 import org.keycloak.sessions.AuthenticationSessionModel;
 
-import java.net.URI;
 import java.nio.charset.StandardCharsets;
 
 /**