10:18 a.m.
Hello,
I'm using rfc7523 I've set Client Authenticator=Signed Jwt, and downloaded the
jks.
I'd like to know if there is a way to have multiple keys for a given Service Account
?This would provide me with a way of supporting multiple keys at the same time when
rotating them.
Is the JWKS URL the only way of handling that ? And in this case, can it support all the
keys in the JWK URL at the same time (i.e. case of blue green deployments) ?
Thanks,Adrian
8:22 a.m.
Dne 8.2.2018 v 17:18 Adrian Gonzalez napsal(a):
Hello,
I'm using rfc7523 I've set Client Authenticator=Signed Jwt, and downloaded the
jks.
I'd like to know if there is a way to have multiple keys for a given Service Account
?This would provide me with a way of supporting multiple keys at the same time when
rotating them.
Is the JWKS URL the only way of handling that ? And in this case, can it support all the
keys in the JWK URL at the same time (i.e. case of blue green deployments) ?
Yes, it
should exactly work like this. When Keycloak see the JWT token
from your client, which is signed by unknown key (this is based on the
value of "kid" from the token, which must be unknown to Keycloak), then
Keycloak will try to download new keys from providerd JWKS URL. Your
client can support multiple keys there, and Keycloak will then use the
correct one based on the "kid" value.
Marek
Thanks,Adrian
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:46 p.m.
Perfect, thanks for the answer Marek !
Le vendredi 9 février 2018 à 15:22:37 UTC+1, Marek Posolda <mposolda(a)redhat.com>
a écrit :
Dne 8.2.2018 v 17:18 Adrian Gonzalez napsal(a):
Hello,
I'm using rfc7523 I've set Client Authenticator=Signed Jwt, and downloaded the
jks.
I'd like to know if there is a way to have multiple keys for a given Service Account
?This would provide me with a way of supporting multiple keys at the same time when
rotating them.
Is the JWKS URL the only way of handling that ? And in this case, can it support all the
keys in the JWK URL at the same time (i.e. case of blue green deployments) ?
Yes, it
should exactly work like this. When Keycloak see the JWT token
from your client, which is signed by unknown key (this is based on the
value of "kid" from the token, which must be unknown to Keycloak), then
Keycloak will try to download new keys from providerd JWKS URL. Your
client can support multiple keys there, and Keycloak will then use the
correct one based on the "kid" value.
Marek
Thanks,Adrian
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2526
days inactive
2527
days old
2 comments
2 participants
participants (2)
-
Adrian Gonzalez -
Marek Posolda