Keycloak signs access and ID tokens with RS256. However, it signs access tokens with HS256 (HMAC).
Is there the possibility of making Keycloak use RS256 for refresh tokens as well? This would allow applications to verify whether the refresh token is authentic with just a public key.
I’ve tried disabling the HMAC key provider, but it just creates a fallback provider (fallback-HS256).
Hi,
The one and only intention of a refresh token is to send it back to the party who initially created it (audience is equal to issuer). So only Keycloak / the OP needs to verify the signature of a refresh token. When you use a refresh token with an invalid signature, the OP will tell you. That’s why the much faster symmetrical signature is sufficient.
Thanks for replying, in this scenario the only token we have to verify in the client application is the access token that cames with a rs256 signature(or the identity token that carry user information), just to prevent a man in the middle attack…did I get it right?