[keycloak-user] Service Accounts: multiple keys for a given Signed Jwt Authenticator
Marek Posolda
mposolda at redhat.com
Fri Feb 9 09:22:34 EST 2018
Dne 8.2.2018 v 17:18 Adrian Gonzalez napsal(a):
> Hello,
> I'm using rfc7523 I've set Client Authenticator=Signed Jwt, and downloaded the jks.
>
> I'd like to know if there is a way to have multiple keys for a given Service Account ?This would provide me with a way of supporting multiple keys at the same time when rotating them.
>
> Is the JWKS URL the only way of handling that ? And in this case, can it support all the keys in the JWK URL at the same time (i.e. case of blue green deployments) ?
Yes, it should exactly work like this. When Keycloak see the JWT token
from your client, which is signed by unknown key (this is based on the
value of "kid" from the token, which must be unknown to Keycloak), then
Keycloak will try to download new keys from providerd JWKS URL. Your
client can support multiple keys there, and Keycloak will then use the
correct one based on the "kid" value.
Marek
> Thanks,Adrian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
More information about the keycloak-user
mailing list