Hi, all. Thanks in advance for any help.
I’m setting up keycloak in my prod environment for the first time. I have a fairly simple microservice ecosystem for now just to smoke test everything. I first got all this running in a local Docker, with everything including the Keycloak server exposed only through an Nginx reverse proxy. Everything was great.
So I deployed all this to my prod environment, which in this case in fly.io. The only changes for these purposes were a few URLs including the keycloak host. I wasn’t even using start-dev in the local for these purposes.
So here’s the strange behavior: in prod the jwks_uri endpoint cycles through a few different pairs of signing and encryption keys. I’m seeing two of each. The result it that intermittently the KID in my bearer token doesn’t match the results of the jwks_uri call, causing 401s. I’ve pulled that uri up in my browser and sure enough if I hit refresh a few times I get different results every few seconds.
Is this intended behavior? A security feature I am not familiar with? If so how do I manage it?