Keycloak:缺少领域公钥 [英] Keycloak: missing realm public key
问题描述
当我访问keycloak管理控制台(!)并创建客户端时:
when I access keycloak admin console (!remotely) and create client:
密钥斗篷OIDC JSON没有公共密钥
the keycloak OIDC JSON doesn't have public key
我希望在JSON中有类似的内容:
I would expect having in JSON something like:
"realm-public-key": "MIIBIjANBg....
推荐答案
最新的keycloak中的keycloak.json没有任何领域公钥...实际上,您似乎正在使用2.3.x版的keycloak,在其中进行了一些更改它 .基本上,您可以旋转一个领域的多个公共密钥.该文件说:-
keycloak.json in newest keycloak doesnot have any realm public key ... actually it appears that you are using keycloak version 2.3.x there have been some changes in it . Basically you can rotate multiple public keys for a realm . The document says this :-
在2.3.0版本中,我们增加了对公钥轮换的支持.当管理员 在Keycloak管理控制台(客户端适配器)中旋转领域密钥 将能够识别它并自动下载新的公共密钥 来自Keycloak.但是,此新密钥的自动下载已完成 即使您的适配器中没有realm-public-key选项, 硬编码的公钥.因此,我们不建议使用 适配器配置中的realm-public-key选项已不再存在.注意这个 该选项仍受支持,但即使您确实 想要在适配器配置中使用硬编码的公钥,并且 永远不要从Keycloak下载公钥.从理论上讲, 如果您不信任,这可以避免中间人攻击 适配器和Keycloak之间的网络,但是在这种情况下 使用HTTPS的更好选择,它将确保之间的所有请求的安全 适配器和Keycloak.
In 2.3.0 release we added support for Public Key Rotation. When admin rotates the realm keys in Keycloak admin console, the Client Adapter will be able to recognize it and automatically download new public key from Keycloak. However this automatic download of new keys is done just if you don’t have realm-public-key option in your adapter with the hardcoded public key. For this reason, we don’t recommend to use realm-public-key option in adapter configuration anymore. Note this option is still supported, but it may be useful just if you really want to have hardcoded public key in your adapter configuration and never download the public key from Keycloak. In theory, one reason for this can be to avoid man-in-the-middle attack if you have untrusted network between adapter and Keycloak, however in that case, it is much better option to use HTTPS, which will secure all the requests between adapter and Keycloak.
这篇关于Keycloak:缺少领域公钥的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!