[keycloak-user] Problem with Keys

Marek Posolda mposolda at redhat.com
Wed Jan 3 03:08:58 EST 2018 

On 02/01/18 17:47, Karol Buler wrote:
> Hi Marek,
>
> thanks for the response!
>
> Of course we use specific docker image (at this moment 
> jboss/keycloak-postgres:3.2.1.Final), so database is persistent, but 
> (checked twice) RSA and also HMAC from "Realm settings -> Keys" are 
> different after rebooting the Keycloak's docker. The only additional 
> thing we do in dockerfile is adding our User Federation's provider. Do 
> you see any mistake that we could do?
I guess you may do import (or reimport) of the realm after the reboot? 
Re-import will always generate new keys by default. You can either skip 
re-import or if skip re-import is really needed, then you may need to 
use different key provider, and perhaps hardcode the keys instead of 
always generate them.

Marek
>
> Karol
>
>
> On 02.01.2018 17:21, Marek Posolda wrote:
>> Hi,
>>
>> isn't the problem that your whole database is always "restarted" 
>> during each keycloak reboot? Or that you always force reimport 
>> things? If you use docker image pointed to shared database, you won't 
>> see this problem though. We have docker images for databases like 
>> PostgreSQL, MySQL AFAIR.
>>
>> Marek
>>
>> On 02/01/18 10:27, Karol Buler wrote:
>>> Hi Keycloak community!
>>>
>>> At the beginning I would wish you a Happy New Year! :)
>>>
>>> About the problem... If we run Keycloak as a docker, every time 
>>> Keycloak
>>> is rebooted the Keys (Realm Setting -> Keys) are generated again. 
>>> Result
>>> is that each application which use Keycloak's adapter throws "Didn't
>>> find publicKey for specified kid" error. This error occurs because the
>>> Keys are not rotated in right way, and application does not know about
>>> the rotation.
>>>
>>> Have you met this problem? What is your workaround? Is it an issue?
>>>
>>> Best regards,
>>> Karol
>>>
>>> [https://www.adbglobal.com/wp-content/uploads/adb.png]
>>> adbglobal.com<https://www.adbglobal.com>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>

More information about the keycloak-user mailing list