Can I get an HS256 token signed using client secret instead of Realm level key?

Use case:
We are migrating from a different IAM provider to Keycloak. We have some OAuth clients that use HS256 algorithm and assume that the key to verify the token signed by HS256 is the client secret (this is what the previous IAM provider did). Keycloak, does not do that. It uses a Realm level key. So token verification fails at the OAuth clients that are doing local verification using the client secret.

Pl. see note from the spec here:
Final: OpenID Connect Core 1.0 incorporating errata set 1 -
I’m understanding this to mean that when MAC algorithms are used, the client secret should be the key to sign and validate the token. Keycloak doesn’t do this. Am I missing something?


  1. Is there a way to configure Keycloak’s behavior to use the client secret so we can be backwards compatible with these OAuth clients?
  2. Is there a way to implement a SignatureProvider, that will use the client secret, that will override the current SignatureProvider that signs the token using the Realm level Key?
  3. We’d like to do this without forking Keycloak code base - is it possible to write an SPI and plant it in the deployments folder - will Keycloak pick this up and override its current SignatureProvider implementation? I realize that the SignatureProvider SPI is not a public SPI but this approach would help us to avoid forking Keycloak.

Thanks for your thoughts!!