[keycloak-user] Service Accounts: multiple keys for a given Signed Jwt Authenticator

Adrian Gonzalez adr_gonzalez at yahoo.fr
Fri Feb 9 13:46:46 EST 2018


 Perfect, thanks for the answer Marek !
    Le vendredi 9 février 2018 à 15:22:37 UTC+1, Marek Posolda <mposolda at redhat.com> a écrit :  
 
 Dne 8.2.2018 v 17:18 Adrian Gonzalez napsal(a):
> Hello,
> I'm using rfc7523 I've set Client Authenticator=Signed Jwt, and downloaded the jks.
>
> I'd like to know if there is a way to have multiple keys for a given Service Account ?This would provide me with a way of supporting multiple keys at the same time when rotating them.
>
> Is the JWKS URL the only way of handling that ? And in this case, can it support all the keys in the JWK URL at the same time (i.e. case of blue green deployments) ?
Yes, it should exactly work like this. When Keycloak see the JWT token 
from your client, which is signed by unknown key (this is based on the 
value of "kid" from the token, which must be unknown to Keycloak), then 
Keycloak will try to download new keys from providerd JWKS URL. Your 
client can support multiple keys there, and Keycloak will then use the 
correct one based on the "kid" value.

Marek
> Thanks,Adrian
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


  


More information about the keycloak-user mailing list