jwks empty

Original message was deleted

FFO•2/5/24, 9:21 AM

Hm can you share where you see that?

Self-hosted or cloud?

You can share me the domain in a DM if you use our cloud service

FFO•2/5/24, 12:18 PM

@johakoch can it be that your instance was not being used (logins) for more then 30h?

FFO•2/5/24, 12:25 PM

Ok, so it could well be that no new keys were generated because nobody did login and the old public keys expired after 30h

FFO•2/5/24, 1:12 PM

yes, atm that is true

fabienne•8/8/24, 8:54 AM

we are currently working on that improvement of the key managemnt, but will take us a moment to finish

fabienne•10/7/24, 11:34 AM

hei @fuzzbizz as mentioned in the github discussion, we have released the new management in an alpha state and would like to get some feedback, you can find the docs here: https://zitadel.com/docs/guides/integrate/login/oidc/webkeys

ZITADEL Docs

Web Keys in ZITADEL are used to sign and verify JSON Web Tokens (JWT).

Hh_moazzem How can we watch the key rotation (to update PostgREST's `PGRST_JWT_SECRET`)? Cu...

FFO•10/9/24, 1:40 PM

I do not understand what you are trying to achieve, can you elaborate?

The client can cache the jwks with a scheduled approach but it needs to fetch new keys once it encounters tokens with an unknown kidkid

Btw. we have an alpha version of an api that allows you to rotate the keys yourself https://zitadel.com/docs/category/apis/resources/webkey_service_v3/zitadel-web-keys

Hh_moazzem This new api might help. PostgREST itself doesn't fetch the JWKS. Instead it req...

FFO•10/9/24, 2:29 PM

Ah I see, yeah then I would look into the new api since it allows you to change/activate keys at your choice

FFO•10/17/24, 8:27 AM

I see, that happens if nobody logs in for a few hours, then zitadel stops creating new keys

FFO•10/17/24, 8:27 AM

But the new API does solve that for you

Ffuzzbizz I am looking at having a dummy account log in every 30 minutes or similar (clear...

FFO•10/17/24, 3:15 PM

Well that would work to my take... when self-hosting you could also change the rotation times.

But to me the api call to the new jwks api is easier then doing a workaround with a user login

Ffuzzbizz To be clear - there's no intention of changing this behaviour so it returns a po...

FFO•10/21/24, 8:20 AM

The way forward for us will be to switch to "static" keys that a customer can create/activate through an api.

FFO•10/21/24, 8:21 AM

Reason is that many tools anyway have a lot of problems with automatically rotating keys and we want to fix that in general

FFO•10/21/24, 8:21 AM

You can find more insights here https://github.com/zitadel/zitadel/discussions/7464

Cchilom it's worth asking @FFO how much "costly" this operation is, and try to find the...

FFO•11/12/24, 4:28 PM

Creating a new key is not super expensive, we currently even roll new once for active instances each 6h as default