11:47 a.m.
Hi,
i'm trying to do an openshift based implementation.
Two server (Keycloak and a relying party RP)
They cannot communicate, but the RP is supposed to verify Keycloak's token.
For that he needs to have the public key of the realm.
When my pod (Docker instance) restart, i re-create the same realm, with the
same clientID,
but of course the realm's key is a newly generated one.
I saw in an old documentation that it was possible to upload a key
https://www.keycloak.org/docs/1.9/server_admin_guide/topics/realms/keys.html
I didn't found the certificate in the json from
kcadm.sh get realms
so i don't think it's going to help using a
kcadm.sh create realm --file [my_json_with_the_certificate_in_it]
What I would like to do is set the key at the realm creation, or modify it
just after it's creation.
If anyone has a clue, or can just confirm me that it's not possible
Thanks a lot
Amaury
2:15 p.m.
Since you're using OpenShift, you may put the exported realm in JSON (with
public/private keys and other necessary things) format into a ConfigMap.
Once the ConfigMap is live, just mount it into your container (as a
volume). This way it will be accessible as a file inside your container.
The last bit is to modify Container Args (which translate into CMD of a
Dockerfile) to start the Keycloak with the following switches:
./standalone.sh \
-Dkeycloak.migration.action=import \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.file=<path to mounted config map> \
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING
This way you will be sure that each Pod is initialized exactly the same way
and you will be managing configuration by modifying the ConfigMap. However,
please keep in mind, that ConfigMaps are not versioned (yet!). So you won't
be able to revert changes quickly if you screw something up in the
configuration.
Cheers,
Sebastian
On Wed, Aug 8, 2018 at 11:57 AM triton oidc <triton.oidc(a)gmail.com> wrote:
Hi,
i'm trying to do an openshift based implementation.
Two server (Keycloak and a relying party RP)
They cannot communicate, but the RP is supposed to verify Keycloak's token.
For that he needs to have the public key of the realm.
When my pod (Docker instance) restart, i re-create the same realm, with the
same clientID,
but of course the realm's key is a newly generated one.
I saw in an old documentation that it was possible to upload a key
https://www.keycloak.org/docs/1.9/server_admin_guide/topics/realms/keys.html
I didn't found the certificate in the json from
kcadm.sh get realms
so i don't think it's going to help using a
kcadm.sh create realm --file [my_json_with_the_certificate_in_it]
What I would like to do is set the key at the realm creation, or modify it
just after it's creation.
If anyone has a clue, or can just confirm me that it's not possible
Thanks a lot
Amaury
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:42 p.m.
Hi,
Sebastian has answered you already, but here's another method that might be helpful
for you ore someone else...
Realm keys are stored as "component configs"
(o.k.models.jpa.entities.ComponentConfigEntity)
If I'm not mistaken, these are exposed via REST
(o.k.services.resources.admin.ComponentResource)
So theoretically you should be able to modify them on a live realm. Didn't try this
with kcadm, but feel free to try yourself and report :)
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Wed, 2018-08-08 at 09:47 +0000, triton oidc wrote:
Hi,
i'm trying to do an openshift based implementation.
Two server (Keycloak and a relying party RP)
They cannot communicate, but the RP is supposed to verify Keycloak's token.
For that he needs to have the public key of the realm.
When my pod (Docker instance) restart, i re-create the same realm, with the
same clientID,
but of course the realm's key is a newly generated one.
I saw in an old documentation that it was possible to upload a key
https://www.keycloak.org/docs/1.9/server_admin_guide/topics/realms/keys.html
I didn't found the certificate in the json from
kcadm.sh get realms
so i don't think it's going to help using a
kcadm.sh create realm --file [my_json_with_the_certificate_in_it]
What I would like to do is set the key at the realm creation, or modify it
just after it's creation.
If anyone has a clue, or can just confirm me that it's not possible
Thanks a lot
Amaury
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
4:41 p.m.
Hi Sebastien,
Thanks a lot for the answer, that's the thing i was looking for something
like this, and didn't thought looking in this direction.
I should be able to make it work.
@Dmitry
if i can make it work, you solution seems pretty cool too
Should i succeed, i'll explain how if it can help someone else
Thanks again
Amaury
On Wed, Aug 8, 2018 at 12:42 PM, Dmitry Telegin <dt(a)acutus.pro> wrote:
Hi,
Sebastian has answered you already, but here's another method that might
be helpful for you ore someone else...
Realm keys are stored as "component configs" (o.k.models.jpa.entities.
ComponentConfigEntity)
If I'm not mistaken, these are exposed via REST
(o.k.services.resources.admin.ComponentResource)
So theoretically you should be able to modify them on a live realm. Didn't
try this with kcadm, but feel free to try yourself and report :)
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info(a)acutus.pro
On Wed, 2018-08-08 at 09:47 +0000, triton oidc wrote:
> Hi,
>
> i'm trying to do an openshift based implementation.
>
> Two server (Keycloak and a relying party RP)
> They cannot communicate, but the RP is supposed to verify Keycloak's
token.
> For that he needs to have the public key of the realm.
>
> When my pod (Docker instance) restart, i re-create the same realm, with
the
> same clientID,
> but of course the realm's key is a newly generated one.
>
> I saw in an old documentation that it was possible to upload a key
> https://www.keycloak.org/docs/1.9/server_admin_guide/topics/
realms/keys.html
>
> I didn't found the certificate in the json from
> kcadm.sh get realms
> so i don't think it's going to help using a
> kcadm.sh create realm --file [my_json_with_the_certificate_in_it]
>
> What I would like to do is set the key at the realm creation, or modify
it
> just after it's creation.
>
> If anyone has a clue, or can just confirm me that it's not possible
>
> Thanks a lot
>
> Amaury
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
2361
days inactive
2361
days old
3 comments
3 participants
participants (3)
-
Dmitry Telegin -
Sebastian Laskawiec -
triton oidc