[keycloak-dev] Migration of old offline tokens
Marek Posolda
mposolda at redhat.com
Fri Jan 13 05:45:39 EST 2017
We have a bug that offline tokens issued in the old release (eg. 1.9.8)
don't work after migration into the new release and can't be
successfully refreshed. JIRA is
https://issues.jboss.org/browse/KEYCLOAK-4140 .
Reason is, that old offline token don't have KID in the header, but
currently we require KID to be present, so we can lookup correct key. I
wonder about possible solutions:
1) If KID is not present in offline token, then just look for the realm
active RSA key and use that one for the verification. This is easier and
I've sent PR for it now https://github.com/keycloak/keycloak/pull/3752 .
However there is one small limitation though, that if admin changes the
active realm key, the old offline tokens won't work (even though the old
publicKey is still valid, it is just not active). So seems that if we go
with this one, we should add a note to the migration guide about this
limitation?
2) Iterate over all realm RSA keys and try to verify token with any of
them. This won't have the limitation above, but it's more complex though.
IMO the limitation is acceptable, considering that it's just about
backwards compatibility. So I would rather go with simpler 1. WDYT?
Marek
More information about the keycloak-dev
mailing list