Keycloak Backend public key should NOT be required

[mircea-pavel-anton]

Expected behaviour

The keycloak backend for authentication should be able to at least extract the realm public key automatically as that is subject to change during key rotation. The endpoint for extracting the keycloak realm public key is public, so no credentials are required.

The open ID connect specification itself states that the use of realm public keys is not recommended:

realm-public-key PEM format of the realm public key. You can obtain this from the administration console. This is OPTIONAL and it’s not recommended to set it. If not set, the adapter will download this from Keycloak and it will always re-download it when needed (eg. Keycloak rotates its keys). However if realm-public-key is set, then adapter will never download new keys from Keycloak, so when Keycloak rotate it’s keys, adapter will break.

Additionally, I don't really see the point in passing in the authorization url and the token url when we could simply pass in the open id discovery document and extract all the endpoints we need from there.

Actual behaviour

The current implementation requires that the key is manually set via the SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY env var. This is a sub-par implementation as future key rotations will break compatibility when deployed.

What are the steps to reproduce this issue?

Input clear steps to reproduce the issue for a maintainer.

N/A

Any logs, error output, etc?

N/A

Any other comments?

Here it could be as simple as sending an HTTP request to <keycloak_url>/auth/realms/<realm name> where both the keycloak url and the realm name can be extracted from the authorization or token urls.

[mircea-pavel-anton]

Something along these lines maybe.

This is more of a draft idea, take it more like pseudocode / logic overview. I have not tested this yet, but if this is something you agree could improve the project i will polish it up and submit a PR!