Invalid signature with HS256 token

Right, using the public key provided by Keycloak to verify a RSA signed token works without any issues. Initially I also ran into the problem to verify an HS256 signed token using the secret key got from Keycloak DB. Then decoding that key works for me. I used the following script to get the decoded secret key.

  def base64url_decode(input):
    if isinstance(input, str):
      input = input.encode("ascii")
    rem = len(input) % 4
    if rem > 0:
        input += b"=" * (4 - rem)
    return base64.urlsafe_b64decode(input)

And then using pyjwt library to decode the token works for me.

decoded_secret_key = base64url_decode('secret key got from DB')
jwt.decode(id_token, decoded_secret_key, algorithms="HS256", option={'verify_signature': True})

Also online tools like also works. Just use the secret key got from DB and check secret base64 encoded box.

The key in your code is slightly different from the one you provided earlier. Probably just a typo.

1 Like