PublicKey wasn't found in the storage

Getting advice
,
1

Issue with Public Key Retrieval in InfinispanPublicKeyStorageProvider

Hello everyone,

I am encountering an issue with the public key retrieval mechanism in the InfinispanPublicKeyStorageProvider class of Keycloak. Here is a brief overview of the problem:

Problem Description

In my setup, I am using Keycloak to manage authentication and authorization, and the public keys are stored and retrieved using Infinispan. Recently, I observed the following error in the logs:

.2024-07-25T12:42:11.231Z 2024-07-25 12:42:11,231 DEBUG [org.keycloak.keys.infinispan.InfinispanPublicKeyStorageProvider] (executor-thread-38) Public keys retrieved successfully for model <model-id>::idp::<idp-id>. New kids: [<key-id-1>, <key-id-2>, <key-id-3>, <key-id-4>, <key-id-5>, <key-id-6>, <key-id-7>, <key-id-8>, <key-id-9>, <key-id-10>, <key-id-11>, <key-id-12>, <key-id-13>, <key-id-14>, <key-id-15>]
2024-07-25 12:42:11,232 WARN [org.keycloak.keys.infinispan.InfinispanPublicKeyStorageProvider] (executor-thread-38) PublicKey wasn't found in the storage. Requested kid: 'symmetrickey'. Available kids: '[<key-id-1>, <key-id-2>, <key-id-3>, <key-id-4>, <key-id-5>, <key-id-6>, <key-id-7>, <key-id-8>, <key-id-9>, <key-id-10>, <key-id-11>, <key-id-12>, <key-id-13>, <key-id-14>, <key-id-15>]'
2024-07-25T12:42:11.232Z 2024-07-25 12:42:11,232 DEBUG [org.keycloak.broker.oidc.OIDCIdentityProvider] (executor-thread-38) Failed to verify token, key not found for algorithm HS256
2024-07-25 12:42:11,233 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (executor-thread-38) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: token signature validation failed

Issue

Despite the keys being retrieved successfully, the specific key with the identifier symmetrickey is not found, resulting in a failure to verify the token. The logs show that the available key identifiers do not include symmetrickey, and an error occurs due to the key for algorithm HS256 not being found.

Deployment Details

We have deployed Keycloak 24.0.3 on Google Kubernetes Engine (GKE) with Cloud Armor and Palo Alto in TCP mode. We use an existing OpenID Connect SSO

Request for Help

I am looking for advice on how to resolve this issue. Specifically, I need assistance with:

  1. Ensuring that the requested key identifier (symmetrickey) is available in the cache or properly loaded if not present.
  2. Debugging steps or additional logging that might help identify why the key is missing despite successful retrieval of other keys.

Any guidance or suggestions on how to address this problem would be greatly appreciated.

Thank you!

2

Hello everyone,

I wanted to provide an update on the issue I was facing with public key retrieval in the InfinispanPublicKeyStorageProvider.

Resolution

After extensive research and reviewing several posts, we finally found the solution in the official Keycloak documentation:

In the section “OpenID Connect v1.0 identity providers”, it states:

“Keycloak brokers identity providers based on the OpenID Connect protocol. These identity providers (IDPs) must support the Authorization Code Flow defined in the specification to authenticate users and authorize access.”

What We Did

Upon reviewing our Keycloak instance, we realized that we were using “Keycloak OpenID Connect” as our identity provider. By switching to a configuration based on “OpenID Connect v1.0 identity providers”, the errors disappeared.

Deployment Details

For context, our Keycloak deployment is on Google Kubernetes Engine (GKE) with Cloud Armor and Palo Alto in TCP mode.

I hope this information helps others who might encounter similar issues.