Keycloak: missing realm public key

2020-07-06 03:30发布

问题:

when I access keycloak admin console (!remotely) and create client:

the keycloak OIDC JSON doesn't have public key

I would expect having in JSON something like:

 "realm-public-key": "MIIBIjANBg....

回答1:

keycloak.json in newest keycloak doesnot have any realm public key ... actually it appears that you are using keycloak version 2.3.x there have been some changes in it . Basically you can rotate multiple public keys for a realm . The document says this :-

In 2.3.0 release we added support for Public Key Rotation. When admin rotates the realm keys in Keycloak admin console, the Client Adapter will be able to recognize it and automatically download new public key from Keycloak. However this automatic download of new keys is done just if you don’t have realm-public-key option in your adapter with the hardcoded public key. For this reason, we don’t recommend to use realm-public-key option in adapter configuration anymore. Note this option is still supported, but it may be useful just if you really want to have hardcoded public key in your adapter configuration and never download the public key from Keycloak. In theory, one reason for this can be to avoid man-in-the-middle attack if you have untrusted network between adapter and Keycloak, however in that case, it is much better option to use HTTPS, which will secure all the requests between adapter and Keycloak.



回答2:

I still don't know why there is no public key in keycloak OIDC JSON (probably from security reason), but I have found it under:

Realm Settings > Keys > Public Key View



标签: keycloak