key-rotator

This is for key rotation for the keycloak to make the keys rotate after specific time

[[realm_keys]] === Configuring realm keys

The authentication protocols that are used by {project_name} require cryptographic signatures and sometimes encryption. {project_name} uses asymmetric key pairs, a private and public key, to accomplish this.

{project_name} has a single active key pair at a time, but can have several passive keys as well. The active key pair is used to create new signatures, while the passive key pair can be used to verify previous signatures. This makes it possible to regularly rotate the keys without any downtime or interruption to users.

When a realm is created, a key pair and a self-signed certificate is automatically generated.

.Procedure . Click Realm settings in the menu. . Click Keys. . Select Passive keys from the filter dropdown to view passive keys. . Select Disabled keys from the filter dropdown to view disabled keys.

A key pair can have the status Active, but still not be selected as the currently active key pair for the realm. The selected active pair which is used for signatures is selected based on the first key provider sorted by priority that is able to provide an active key pair.

==== Rotating keys

We recommend that you regularly rotate keys. Start by creating new keys with a higher priority than the existing active keys. You can instead create new keys with the same priority and making the previous keys passive.

Once new keys are available, all new tokens and cookies will be signed with the new keys. When a user authenticates to an application, the SSO cookie is updated with the new signature. When OpenID Connect tokens are refreshed new tokens are signed with the new keys. Eventually, all cookies and tokens use the new keys and after a while the old keys can be removed.

The frequency of deleting old keys is a tradeoff between security and making sure all cookies and tokens are updated. Consider creating new keys every three to six months and deleting old keys one to two months after you create the new keys. If a user was inactive in the period between the new keys being added and the old keys being removed, that user will have to re-authenticate.

Rotating keys also applies to offline tokens. To make sure they are updated, the applications need to refresh the tokens before the old keys are removed.

==== Adding a generated key pair

Use this procedure to generate a key pair including a self-signed certificate.

.Procedure . Select the realm in the Admin Console. . Click Realm settings in the menu. . Click the Keys tab. . Click the Providers tab. . Click Add provider and select rsa-generated. . Enter a number in the Priority field. This number determines if the new key pair becomes the active key pair. The highest number makes the key pair active. . Select a value for AES Key size. . Click Save.

Changing the priority for a provider will not cause the keys to be re-generated, but if you want to change the keysize you can edit the provider and new keys will be generated.

How to use Alembic

Alembic is tool for migration used for some of the databases in python To use the tool you can do the following steps: First command to initialize the alembic: This command will create some of the files for alembic

alembic init alembic

To make the migration happen do the following command: This command will make the migration you will need to add a commit message

alembic revision --autogenerate -m "First commit"

:Then

alembic upgrade head

This will generate the migration into your database in our case we are only using sqlite.