Description

In environments with intermittent network connectivity or when OCSP responders experience temporary outages, X.509 certificate authentication can fail unnecessarily. This is particularly problematic in air-gapped environments where network reliability may be an issue.

Currently, when an OCSP check fails, Keycloak immediately fails the certificate validation without any retry attempts. This leads to authentication failures that could be avoided with a simple retry mechanism.

Discussion

No response

Motivation

Organizations operating in environments with unreliable network connections or using OCSP responders that occasionally experience brief outages need a more resilient certificate validation process. Without retry logic, users may be unable to authenticate during temporary network issues, leading to service disruptions.

This is especially critical for:

Air-gapped environments with intermittent connectivity
High-security environments that require OCSP validation but may have network constraints
Deployments where OCSP responders occasionally experience brief outages

Details

Implement configurable retry logic for OCSP checks with the following features:

1. A configurable maximum number of retry attempts
2. A configurable wait time between retry attempts
3. Proper logging of retry attempts and failures
4. Graceful degradation when all retries are exhausted

Benefits

• Improved Reliability: Handles temporary network issues or OCSP responder unavailability
• Configurability: Allows administrators to tune retry behavior based on their environment
• Graceful Degradation: Returns a meaningful status even when all retries fail
• Detailed Logging: Provides visibility into retry attempts and failures

Related Work

• This feature is similar to retry mechanisms implemented in other certificate validation libraries
• This approach is consistent with industry best practices for handling transient network failures