Refresh token is signed with HS256, How to validate the token offline?

msknext · March 25, 2021, 9:33am

Hello,

We want to validate the refresh token at the application level. The refresh token is a HS256 token. How can I get the secret used by keycloak to sign this token?

I tired this query in postgres to retrive the secret, but unfortunately using this secret still shows signature is invalid.

SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = C.id) WHERE C.realm_id = ‘master’ and provider_id = ‘hmac-generated’ AND CC.name = ‘secret’;

Please can somone advice?

wojtek-viirtue · June 7, 2021, 3:26pm

Have you solved this issue? I’m facing the same. The generated secret for anything signed with HS256 does not work with at least 3 .NET libraries I’ve tried and at least 3 online tools.

Topic		Replies	Views
Refresh_token_error Getting advice	1	2298	November 9, 2022
Refresh Token Invalidation Securing applications	0	184	October 23, 2023
Revoke refresh tokens after password reset Securing applications authentication	12	7366	October 25, 2021
How do you get the refresh token back from Keycloak? Getting advice	0	381	March 3, 2021
Remove refresh_token	1	362	August 18, 2020

Refresh token is signed with HS256, How to validate the token offline?

Related Topics