Re: [keycloak-user] HS256 Shared Secret
Refresh tokens should not be verified by applications, nor should they be
used by applications for anything other than obtaining new tokens. They
should be considered opaque.
On Mon, 23 Sep 2019, 18:57 Chandrashekhar, Nithin, <
Nithin.Chandrashekhar(a)teradata.com> wrote:
Is there any way we can use RSA for signing refresh tokens instead
of
HS256?
Thanks
Nithin
On 9/23/19, 8:25 AM, "keycloak-user-bounces(a)lists.jboss.org on behalf of
Nick Powers" <keycloak-user-bounces(a)lists.jboss.org on behalf of
sshscp(a)gmail.com> wrote:
[External Email]
________________________________
I suggest using RSA instead of HS256. With RSA you can confirm the the
authenticity of the JWT by using Keycloak's public key. The url
https://<keycloak-server>/auth/realms/<realm>
contains a json response with the public key.
On Mon, Sep 23, 2019 at 5:02 AM Stian Thorgersen <sthorger(a)redhat.com>
wrote:
> Keycloak does not support a shared secret at the moment. Tokens
signed with
> HS256 can only be verified by Keycloak.
>
> Why are you asking?
>
> On Fri, 20 Sep 2019, 19:30 Sam Lewis, <sam(a)focus21.io> wrote:
>
> > How do you retrieve and HS256 shared secret?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user