Keycloak: missing realm public key

Tomas Marik picture Tomas Marik · Nov 9, 2016 · Viewed 18.5k times · Source

when I access keycloak admin console (!remotely) and create client:

keycloak client settings

the keycloak OIDC JSON doesn't have public key

keycloak OIDC JSON

I would expect having in JSON something like:

 "realm-public-key": "MIIBIjANBg....

Answer

UchihaItachi picture UchihaItachi · Nov 11, 2016

keycloak.json in newest keycloak doesnot have any realm public key ... actually it appears that you are using keycloak version 2.3.x there have been some changes in it . Basically you can rotate multiple public keys for a realm . The document says this :-

In 2.3.0 release we added support for Public Key Rotation. When admin rotates the realm keys in Keycloak admin console, the Client Adapter will be able to recognize it and automatically download new public key from Keycloak. However this automatic download of new keys is done just if you don’t have realm-public-key option in your adapter with the hardcoded public key. For this reason, we don’t recommend to use realm-public-key option in adapter configuration anymore. Note this option is still supported, but it may be useful just if you really want to have hardcoded public key in your adapter configuration and never download the public key from Keycloak. In theory, one reason for this can be to avoid man-in-the-middle attack if you have untrusted network between adapter and Keycloak, however in that case, it is much better option to use HTTPS, which will secure all the requests between adapter and Keycloak.