Refresh token is signed with HS256, How to validate the token offline?


We want to validate the refresh token at the application level. The refresh token is a HS256 token. How can I get the secret used by keycloak to sign this token?

I tired this query in postgres to retrive the secret, but unfortunately using this secret still shows signature is invalid.

SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = WHERE C.realm_id = ‘master’ and provider_id = ‘hmac-generated’ AND = ‘secret’;

Please can somone advice?

Have you solved this issue? I’m facing the same. The generated secret for anything signed with HS256 does not work with at least 3 .NET libraries I’ve tried and at least 3 online tools.