During security scan of a Keycloak installation, on the username/password screen anyone is able to modify JWT tokens like KC_RESTART, KEYCLOAK_IDENTIFY including the encoding and signature. While the modifications are not impacting the behaviour, Keycloak does not throw any errors or break the login process if such tampering is done. Is this normal or am I missing something?
Is Keycloak secure from JWT related attacks including JWT none and signature attacks? I have not been able to locate any documentation around it. Thanks in advance.