since https://issues.redhat.com/browse/KEYCLOAK-14299 the keys inside a new realm are empty (no jwks keys; /auth/realms/master/protocol/openid-connect/certs) unless the admin user logged in first time.
Is there a way (trough an SPI?) to get the old behavior back? There there a hook that can be executed on realm creation and execute the function DefaultKeyProviders.createProviders(newRealm);
This is currently planned to be reverted back in KC 13 release
However it sounds like it will probably change again in a later release as they transition to the Quarkus dist.
If you need the old behaviour back for now, probably best to run a minor fork until 13 is released.
thanks for the information.
In meanwhile, we extract our custom logic from keycloak in a reverse proxy application. That should be more future proof.