Hi,

sorry for the confusion... I'm in the process of setting up my servers. I had your error, but than I realized there was something wrong in my conf.yaml. After I fixed the config, the exact same error came back... very frustrating.

But still, I got it working now.

Regarding your question: yes, I use Keycloak 26, with the docker-v2 extension. It runs in a container that I start with podman-compose.
Outside I have a Nginx running as a reverse proxy.

I know there will be trouble with the developers here, but unfortunately the latest version of registry is not compatible with the current version of docker-v2. Docker-v2 still uses libtrust. So I tried it with version 2.8.3 to see if it works. So please try 2.8.3 - for testing. It is not recommended to use this version.

Otherwise, I stored the RSA certificate of my realm and referenced it in the conf.yaml. I have removed the jws for now.
My conf.yaml looks like this:

auth:
  token:
    realm: "https://my.webserver.com/realms/docker-registry/protocol/docker-v2/auth"
    service: "mydocker-v2"
    issuer: "https://my.webserver.com/realms/docker-registry"
    rootcertbundle: /etc/keycloak/keycloak_cert.pem

Okay so it works for me, with some issues:

After finding keycloak/keycloak#33776 , I tried out Keycloak 25.0.6 with registry:2.8.3 and it works! But trying out Keycloak 26.0.0 with it, with distribution:edge, it doesn't work. Moving to 26.0.1 (released yesterday!!) also works.

So it works for me when using Keycloak 26.0.1 and registry:2.8.3 .

So I am guessing the regression also affected login, and distribution:edge doesn't work with newer versions of Keycloak (i don't exactly know when the two stopped playing well with each other).

I've updated my repository so that it works, with the issue of getting to work with edge and registry:v3. I won't resolve this until the two also work together in v3.

Thanks for your help, I hope this helps other people!

I'm seeing the same error using https://github.com/cesanta/docker_auth as my auth provider. This was apparently also affected by this change. I have successfully used the workaround documented here to generate jwks.json: cesanta/docker_auth#386

It'd be nice if instead it just properly trusted the cert passed in the CA bundle.
xref: #4470 (comment)

I think this should be resolved by #4521

On the apparently likely chance that the distribution maintainers are really going to proceed with releasing distribution/v3 with breaking changes for auth provider support, I have tossed together a quick project to generate a JWKS file from a CA bundle. Any auth providers that have not yet migrated to generating RFC7638 key IDs, and are still using libtrust keyIDs, will need to provide both the CA bundle and the JWKS file.

https://github.com/brandond/bundle2jwks