[keycloak-user] Can decrypt identified HS256 refresh token with RS256 public key with client credentials grant
Eric Brown
someericbrown at gmail.com
Mon Sep 9 07:21:52 EDT 2019
Hello,
At first I struggled to understand why pyJWT was raising an error when
decoding a refresh token issued from keycloak using the client
credentials grant. The specified error was : "The specified key is an
asymmetric key or x509 certificate and should not be used as an HMAC
secret. "
I now understand the issue:
The refresh token identifies itself as being HS256 encrypted in header so
pyjwt raise an error when I try to decrypt it with keycloak public key.
The problem is that I am able to decrypt it with the public key when
bypassing verification with verify=False to pyjwt.decode.
The access token received are identified as RS256 and are fine.
Pyjwt behavior with enabled verify is thuscorrect when preventing decode of
HS256 tokens with public keys.
The problem now seems to be this:
Shouldn't it be impossible to decrypt the HS256 refresh token with the
public key at all?
So it might seem that the refresh tokens are incorrectly labelled as HS256
in header but at truly RS256.
Thanks,
Eric
More information about the keycloak-user
mailing list