Resolving Intermittent "Public Key Retrieval is not allowed" Errors in Java MySQL 8.0 JDBC Connections

When a Java program connects to MySQL 8.0 using the JDBC driver, it may sporadically fail with the exception java.sql.SQLNonTransientConnectionException: Public Key Retrieval is not allowed . The root cause is the default caching_sha2_password authentication plugin, which requires TLS protection for password transmission and relies on a cached authentication entry on the server.

If the server has a cached entry for the user, the connection succeeds without additional RSA public‑key configuration. If the cache is absent—such as after a server restart, an MGR primary switch, or after a DBA runs flush privileges; —the driver cannot retrieve the public key and the error is thrown.

The article documents a reproducible test: a simple Java program (code omitted) throws the error, then manually connecting with the MySQL client to create the cache resolves it; restarting the server or flushing privileges makes the error reappear.

Based on these observations, three remediation options are recommended:

Configure the application to use the server’s RSA public key explicitly.

Enable AllowPublicKeyRetrieval=True in the JDBC URL (aware of the potential MITM risk).

Change the user’s authentication plugin to mysql_native_password on the MySQL side.

Choosing any of these solutions eliminates the intermittent connection failure caused by missing authentication cache.