RS256 for refresh tokens

Photonios · January 18, 2021, 8:47am

Keycloak signs access and ID tokens with RS256. However, it signs access tokens with HS256 (HMAC).

Is there the possibility of making Keycloak use RS256 for refresh tokens as well? This would allow applications to verify whether the refresh token is authentic with just a public key.

I’ve tried disabling the HMAC key provider, but it just creates a fallback provider (fallback-HS256).

dmarras · June 30, 2021, 3:07pm

Same thought…anybody helps?

mbonn · June 30, 2021, 3:38pm

Hi,
The one and only intention of a refresh token is to send it back to the party who initially created it (audience is equal to issuer). So only Keycloak / the OP needs to verify the signature of a refresh token. When you use a refresh token with an invalid signature, the OP will tell you. That’s why the much faster symmetrical signature is sufficient.

dmarras · July 1, 2021, 9:12am

Thanks for replying, in this scenario the only token we have to verify in the client application is the access token that cames with a rs256 signature(or the identity token that carry user information), just to prevent a man in the middle attack…did I get it right?

mbonn · July 1, 2021, 9:36am

Yes, that’s it. THe ID Token should be validated according to Final: OpenID Connect Core 1.0 incorporating errata set 1

Topic		Replies	Views
Can I get an HS256 token signed using client secret instead of Realm level key? Getting advice	0	788	March 3, 2022
Is client_id always required to refresh a token? Getting advice	2	5813	September 21, 2020
SPI or API to inject custom logics while validating refresh tokens Extending the server oidc	0	397	March 19, 2021
ID Token won't change alg in Keycloak 17.0.1 client Securing applications authentication , oidc	0	356	April 20, 2022
Using client secret to signing tokens instead of realm keys Getting advice authentication , oidc	2	2158	July 1, 2022

RS256 for refresh tokens

Related Topics