Keycloak Realm Keysfleeting
- External reference: https://wjw465150.gitbooks.io/keycloak-documentation/content/server_admin/topics/realms/keys.html
keycloak realm keys
Keycloak has a single active keypair at a time, but can have several passive keys as well. The active keypair is used to create new signatures, while the passive keypairs can be used to verify previous signatures. This makes it possible to regularly rotate the keys without any downtime or interruption to users.
Keycloak currently only supports RSA signatures so there is only one active keypair
How long you wait to delete old keys is a tradeoff between security and making sure all cookies and tokens are updated. In general it should be acceptable to drop old keys after a few weeks. Users that have not been active in the period between the new keys where added and the old keys removed will have to re-authenticate
As a guideline it may be a good idea to create new keys every 3-6 months and delete old keys 1-2 months after the new keys where created