Invalid signature with HS256 token

To get the secret used for signing/verifying HS256 tokens, try using the following SQL:

SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = C.id) WHERE C.realm_id = '<realm-id-here>' and provider_id = 'hmac-generated' AND CC.name = 'secret';

If you use the resulting secret to verify the tokens, the signature should match. I’m not sure if this secret is available through the UI, probably not.

1 Like