10:34 a.m.
We don't (re)import anything after rebooting. As I said the only thing
we do is adding our User Federation. Is it possible that Keycloak
regenerate Keys while User Federation injecting? In other hand... where
those keys are stored? I mean which table in DB?
On 03.01.2018 09:08, Marek Posolda wrote:
On 02/01/18 17:47, Karol Buler wrote:
> Hi Marek,
>
> thanks for the response!
>
> Of course we use specific docker image (at this moment
> jboss/keycloak-postgres:3.2.1.Final), so database is persistent, but
> (checked twice) RSA and also HMAC from "Realm settings -> Keys" are
> different after rebooting the Keycloak's docker. The only additional
> thing we do in dockerfile is adding our User Federation's provider.
> Do you see any mistake that we could do?
I guess you may do import (or reimport) of the realm after the reboot?
Re-import will always generate new keys by default. You can either
skip re-import or if skip re-import is really needed, then you may
need to use different key provider, and perhaps hardcode the keys
instead of always generate them.
Marek
>
> Karol
>
>
> On 02.01.2018 17:21, Marek Posolda wrote:
>> Hi,
>>
>> isn't the problem that your whole database is always "restarted"
>> during each keycloak reboot? Or that you always force reimport
>> things? If you use docker image pointed to shared database, you
>> won't see this problem though. We have docker images for databases
>> like PostgreSQL, MySQL AFAIR.
>>
>> Marek
>>
>> On 02/01/18 10:27, Karol Buler wrote:
>>> Hi Keycloak community!
>>>
>>> At the beginning I would wish you a Happy New Year! :)
>>>
>>> About the problem... If we run Keycloak as a docker, every time
>>> Keycloak
>>> is rebooted the Keys (Realm Setting -> Keys) are generated again.
>>> Result
>>> is that each application which use Keycloak's adapter throws
"Didn't
>>> find publicKey for specified kid" error. This error occurs because the
>>> Keys are not rotated in right way, and application does not know about
>>> the rotation.
>>>
>>> Have you met this problem? What is your workaround? Is it an issue?
>>>
>>> Best regards,
>>> Karol
>>>
>>> [https://www.adbglobal.com/wp-content/uploads/adb.png]
>>> adbglobal.com<https://www.adbglobal.com>
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
