[keycloak-dev] Migration of old offline tokens

Marek Posolda mposolda at redhat.com
Fri Jan 13 05:45:39 EST 2017

We have a bug that offline tokens issued in the old release (eg. 1.9.8) 
don't work after migration into the new release and can't be 
successfully refreshed. JIRA is 
https://issues.jboss.org/browse/KEYCLOAK-4140 .

Reason is, that old offline token don't have KID in the header, but 
currently we require KID to be present, so we can lookup correct key. I 
wonder about possible solutions:

1) If KID is not present in offline token, then just look for the realm 
active RSA key and use that one for the verification. This is easier and 
I've sent PR for it now https://github.com/keycloak/keycloak/pull/3752 . 
However there is one small limitation though, that if admin changes the 
active realm key, the old offline tokens won't work (even though the old 
publicKey is still valid, it is just not active). So seems that if we go 
with this one, we should add a note to the migration guide about this 

2) Iterate over all realm RSA keys and try to verify token with any of 
them. This won't have the limitation above, but it's more complex though.

IMO the limitation is acceptable, considering that it's just about 
backwards compatibility. So I would rather go with simpler 1. WDYT?


More information about the keycloak-dev mailing list