[keycloak-user] HS256 Shared Secret
Stian Thorgersen
sthorger at redhat.com
Wed Sep 25 04:34:49 EDT 2019
Refresh tokens should not be verified by applications, nor should they be
used by applications for anything other than obtaining new tokens. They
should be considered opaque.
On Mon, 23 Sep 2019, 18:57 Chandrashekhar, Nithin, <
Nithin.Chandrashekhar at teradata.com> wrote:
> Is there any way we can use RSA for signing refresh tokens instead of
> HS256?
>
> Thanks
> Nithin
>
> On 9/23/19, 8:25 AM, "keycloak-user-bounces at lists.jboss.org on behalf of
> Nick Powers" <keycloak-user-bounces at lists.jboss.org on behalf of
> sshscp at gmail.com> wrote:
>
> [External Email]
> ________________________________
>
> I suggest using RSA instead of HS256. With RSA you can confirm the the
> authenticity of the JWT by using Keycloak's public key. The url
> https://<keycloak-server>/auth/realms/<realm>
> contains a json response with the public key.
>
> On Mon, Sep 23, 2019 at 5:02 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
> > Keycloak does not support a shared secret at the moment. Tokens
> signed with
> > HS256 can only be verified by Keycloak.
> >
> > Why are you asking?
> >
> > On Fri, 20 Sep 2019, 19:30 Sam Lewis, <sam at focus21.io> wrote:
> >
> > > How do you retrieve and HS256 shared secret?
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
More information about the keycloak-user
mailing list