11

when I access keycloak admin console (!remotely) and create client:

keycloak client settings

the keycloak OIDC JSON doesn't have public key

keycloak OIDC JSON

I would expect having in JSON something like: 

 "realm-public-key": "MIIBIjANBg....
Tomas Marik
  • 4,053
  • 3
  • 31
  • 62

3 Answers3

21

keycloak.json in newest keycloak doesnot have any realm public key ... actually it appears that you are using keycloak version 2.3.x there have been some changes in it . Basically you can rotate multiple public keys for a realm . The document says this :-

In 2.3.0 release we added support for Public Key Rotation. When admin rotates the realm keys in Keycloak admin console, the Client Adapter will be able to recognize it and automatically download new public key from Keycloak. However this automatic download of new keys is done just if you don’t have realm-public-key option in your adapter with the hardcoded public key. For this reason, we don’t recommend to use realm-public-key option in adapter configuration anymore. Note this option is still supported, but it may be useful just if you really want to have hardcoded public key in your adapter configuration and never download the public key from Keycloak. In theory, one reason for this can be to avoid man-in-the-middle attack if you have untrusted network between adapter and Keycloak, however in that case, it is much better option to use HTTPS, which will secure all the requests between adapter and Keycloak.

Aritz
  • 30,971
  • 16
  • 136
  • 217
UchihaItachi
  • 2,602
  • 14
  • 21
  • 1
    Is there documentation to get the public keys in use? – ibotty Nov 29 '16 at 15:29
  • @ibotty I have yet to come across any such direct documentation, but you can change the priority of the keys. The key with the highest priority gets used – UchihaItachi Nov 29 '16 at 18:48
  • 6
    Just a note for people looking for an answer to my question from a year ago: you can get the certificates used with a GET on `/protocol/openid-connect/certs`. – ibotty Sep 19 '17 at 11:02
  • What about SAML? – Henry Sep 15 '20 at 07:47
  • Could you please have a look at my Keycloak-related question https://stackoverflow.com/q/70376766/2886891 ? Thanks. – Honza Zidek Dec 16 '21 at 16:01
13

I still don't know why there is no public key in keycloak OIDC JSON (probably from security reason), but I have found it under:

Realm Settings > Keys > Public Key View

enter image description here

Tomas Marik
  • 4,053
  • 3
  • 31
  • 62
  • 6
    *I still don't know why there is no public key in keycloak OIDC JSON* It's because of key-rotation. Instead of hardcoding the key in the JSON, it's much more flexible if the adapter just *downloads* the key directly from the server. That way you can rotate those keys; replace them with new ones every month or whatever. – Stijn de Witt Jul 21 '17 at 19:17
0

I had this same problem initially, but then figured out that I was using the wrong URL. The OpenID config is published by Keycloak under this URL, as per the standard:

http://localhost:8080/auth/realms/myrealm/.well-known/openid-configuration

But the public key is published under the jwks_uri, which is this:

http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/certs

Using that second URL, it is quite easy to validate the JWT using the connect2id library (https://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens):

...
JWT idToken = JWTParser.parse(bearerAccessToken.toString());

Nonce expectedNonce = null;
Issuer iss = new Issuer("http://localhost:8080/auth/realms/myrealm");
JWSAlgorithm jwsAlg = JWSAlgorithm.RS256;
URL jwkSetURL = new URL("http://localhost:8080/auth/realms/myrealm/protocol/openid-connect/certs");

IDTokenValidator validator = new IDTokenValidator(iss, clientID, jwsAlg, jwkSetURL);
IDTokenClaimsSet claims = validator.validate(idToken, expectedNonce);
...
martin_wun
  • 1,599
  • 1
  • 15
  • 33