Hi Keycloak community! At the beginning I would wish you a Happy New Year! :) About the problem... If we run Keycloak as a docker, every time Keycloak is rebooted the Keys (Realm Setting -> Keys) are generated again. Result is that each application which use Keycloak's adapter throws "Didn't find publicKey for specified kid" error. This error occurs because the Keys are not rotated in right way, and application does not know about the rotation. Have you met this problem? What is your workaround? Is it an issue? Best regards, Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com<https://www.adbglobal.com> _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

Hi Marek, thanks for the response! Of course we use specific docker image (at this moment jboss/keycloak-postgres:3.2.1.Final), so database is persistent, but (checked twice) RSA and also HMAC from "Realm settings -> Keys" are different after rebooting the Keycloak's docker. The only additional thing we do in dockerfile is adding our User Federation's provider. Do you see any mistake that we could do?

Karol On 02.01.2018 17:21, Marek Posolda wrote: > Hi, > > isn't the problem that your whole database is always "restarted" > during each keycloak reboot? Or that you always force reimport > things? If you use docker image pointed to shared database, you won't > see this problem though. We have docker images for databases like > PostgreSQL, MySQL AFAIR. > > Marek > > On 02/01/18 10:27, Karol Buler wrote: >> Hi Keycloak community! >> >> At the beginning I would wish you a Happy New Year! :) >> >> About the problem... If we run Keycloak as a docker, every time >> Keycloak >> is rebooted the Keys (Realm Setting -> Keys) are generated again. >> Result >> is that each application which use Keycloak's adapter throws "Didn't >> find publicKey for specified kid" error. This error occurs because the >> Keys are not rotated in right way, and application does not know about >> the rotation. >> >> Have you met this problem? What is your workaround? Is it an issue? >> >> Best regards, >> Karol >> >> [https://www.adbglobal.com/wp-content/uploads/adb.png] >> adbglobal.com<https://www.adbglobal.com> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >

[This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing] We don't (re)import anything after rebooting. As I said the only thing we do is adding our User Federation. Is it possible that Keycloak regenerate Keys while User Federation injecting? In other hand... where those keys are stored? I mean which table in DB? On 03.01.2018 09:08, Marek Posolda wrote: > On 02/01/18 17:47, Karol Buler wrote: >> Hi Marek, >> >> thanks for the response! >> >> Of course we use specific docker image (at this moment >> jboss/keycloak-postgres:3.2.1.Final), so database is persistent, but >> (checked twice) RSA and also HMAC from "Realm settings -> Keys" are >> different after rebooting the Keycloak's docker. The only additional >> thing we do in dockerfile is adding our User Federation's provider. >> Do you see any mistake that we could do? > I guess you may do import (or reimport) of the realm after the reboot? > Re-import will always generate new keys by default. You can either > skip re-import or if skip re-import is really needed, then you may > need to use different key provider, and perhaps hardcode the keys > instead of always generate them. > > Marek >> Karol >> >> >> On 02.01.2018 17:21, Marek Posolda wrote: >>> Hi, >>> >>> isn't the problem that your whole database is always "restarted" >>> during each keycloak reboot? Or that you always force reimport >>> things? If you use docker image pointed to shared database, you >>> won't see this problem though. We have docker images for databases >>> like PostgreSQL, MySQL AFAIR. >>> >>> Marek >>> >>> On 02/01/18 10:27, Karol Buler wrote: >>>> Hi Keycloak community! >>>> >>>> At the beginning I would wish you a Happy New Year! :) >>>> >>>> About the problem... If we run Keycloak as a docker, every time >>>> Keycloak >>>> is rebooted the Keys (Realm Setting -> Keys) are generated again. >>>> Result >>>> is that each application which use Keycloak's adapter throws "Didn't >>>> find publicKey for specified kid" error. This error occurs because the >>>> Keys are not rotated in right way, and application does not know about >>>> the rotation. >>>> >>>> Have you met this problem? What is your workaround? Is it an issue? >>>> >>>> Best regards, >>>> Karol >>>> >>>> [https://www.adbglobal.com/wp-content/uploads/adb.png] >>>> adbglobal.com<https://www.adbglobal.com> >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user