3

I am trying to get private keys from keycloack realms keys . I am able to get public keys using Open-id/certs api.please let me know if able to get private keys of realms in keycloack.

Babji Vaddipalli
  • 39
  • 1
  • 2

3 Answers3

5

I use the private key, to write tests to tamper the JWT payload to verify an application. I got all securiy pitfalls

Getting private key with MySQL is easy:

use <kc_db_schema>;
SELECT VALUE FROM COMPONENT_CONFIG CC INNER JOIN COMPONENT C INNER JOIN REALM R ON(CC.COMPONENT_ID = C.ID AND R.ID = C.REALM_ID)
WHERE R.NAME='your-realm-name' AND C.NAME = 'rsa-generated' AND CC.name = 'privateKey';

Using this privateKey value I'm able to sign my payload. In Python PyJWT it is VERY important to add the '-----BEGIN RSA PRIVATE KEY-----' / '-----END RSA PRIVATE KEY-----' with linefeeds to the key:

private_key = b"-----BEGIN RSA PRIVATE KEY-----\n<my privateKey from SQL query>\n-----END RSA PRIVATE KEY-----"
jwt_encoded = jwt.encode({my payload}, private_key, algorithm="RS256")
psytester
  • 194
  • 1
  • 5
0

I am able to get private keys from keycloack database and table name is component_config.

Babji Vaddipalli
  • 39
  • 1
  • 2
  • 1
    Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Jun 06 '22 at 22:03
-1

Well, you are not allowed to. That is why they are called private keys, you can't expect a private key through API.

Private keys are private to the holder, you can learn more about them here.

gsan
  • 549
  • 1
  • 4
  • 14
  • Is there any table in keycloack stores the private key and public keys? – Babji Vaddipalli May 24 '22 at 14:56
  • You can learn more about keys in keycloak here: https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/realms/keys.adoc You can mark my original answer as accepted answer for the people in the future who visit and get help by your question. – gsan May 24 '22 at 15:30