[keycloak-dev] Realm key rotation support

Bill Burke bburke at redhat.com
Fri Sep 23 15:07:39 EDT 2016

On 9/23/16 11:53 AM, John Dennis wrote:
> On 09/13/2016 09:29 AM, Stian Thorgersen wrote:
>> To be able to gracefully rotate the realm keys periodically a realm
>> needs to have more than one keypair. One keypair that is active and will
>> be used to issue new cookies and tokens. Also, one or more keypairs that
>> are inactive that can be used to verify old cookies and tokens.
>> This is only for login cookie and OIDC protocol. Is it even necessary to
>> have support for multiple certificates for SAML? SAML doesn't have a
>> token introspection or refresh of the assertions right, so not sure it's
>> needed.
> SAML also needs multiple keys during the rotation period. Off the top of
> my head I do not recall if the realm key is used for signing or if an
> independent key is generated. Currently Keycloak does not support SAML
> encryption but when it does the same will apply to encryption keys as
> would currently apply to signing keys.

We support encrypting the assertion.


More information about the keycloak-dev mailing list