[keycloak-dev] Realm key rotation support

Marek Posolda mposolda at redhat.com
Tue Sep 13 15:39:45 EDT 2016

On 13/09/16 16:36, Niels Bertram wrote:
> Hi Stian,
> intersting email, we were recently given advise to rotate keys 
> periodically but at this point in time keycloak 1.9.8 does not 
> actually implement 
> http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys nor 
> are any of the client adapters able to use the jks url to retrieve pub 
> keys rather requiring to hard code the target realm key in the 
> public-realm-key property of the keycloak.json client configuration file.
> Is this new feature going to implement the OpenID Connect spec 
> sections 10.1 and 10.2 ?
> Also I assume this would also require changes to adapters by removing 
> the public-realm-key property from the config file?
Yes, exactly. Adapter's side is already implemented in master (but not 
yet documented). See my other mail for details 

> Kind Regards,
> Niels
> On Tue, Sep 13, 2016 at 11:41 PM, Nalyvayko, Peter <pnalyvayko at agi.com 
> <mailto:pnalyvayko at agi.com>> wrote:
>     Is this going to be a breaking feature or is the plan to continue
>     supporting the current single key/realm model?
>     *From:*keycloak-dev-bounces at lists.jboss.org
>     <mailto:keycloak-dev-bounces at lists.jboss.org>
>     [mailto:keycloak-dev-bounces at lists.jboss.org
>     <mailto:keycloak-dev-bounces at lists.jboss.org>] *On Behalf Of
>     *Stian Thorgersen
>     *Sent:* Tuesday, September 13, 2016 9:29 AM
>     *To:* keycloak-dev <keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>>
>     *Subject:* [keycloak-dev] Realm key rotation support
>     To be able to gracefully rotate the realm keys periodically a
>     realm needs to have more than one keypair. One keypair that is
>     active and will be used to issue new cookies and tokens. Also, one
>     or more keypairs that are inactive that can be used to verify old
>     cookies and tokens.
>     I'm going to start work on this soon, but here's some initial
>     thoughts:
>     * Realm keys will have a list of keypairs rather than just one.
>     Only one can be active. There will also be an expiration time on
>     the inactive keypairs. Once expired and inactive keypair is no
>     longer usable.
>     * There will also be an option to automatically generate a new key
>     every N days.
>     * If a session cookie is signed with an inactive pair the cookie
>     will be refreshed so it's signed with the active keypair
>     * Token introspect endpoint will allow any token that is signed
>     with any keypair that is not expired
>     * If a refresh token is signed with an inactive pair the new
>     tokens (including refresh token) will be signed with the active
>     keypair
>     * Secret used to generate client code will be linked to the
>     keypair. I'll need a way to specify what secret it was signed with
>     so codes are still valid even if they where signed with an old.
>     This is only for login cookie and OIDC protocol. Is it even
>     necessary to have support for multiple certificates for SAML? SAML
>     doesn't have a token introspection or refresh of the assertions
>     right, so not sure it's needed.
>     With regards to the applications. Marek has already added support
>     for clients to fetch new keypairs for the realm. See his email on
>     keycloak-dev for details around that.
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160913/d25a811b/attachment-0001.html 

More information about the keycloak-dev mailing list