Re: [keycloak-user] Can decrypt identified HS256 refresh token with RS256 public key with client credentials grant

Hello, At first I struggled to understand why pyJWT was raising an error when decoding a refresh token issued from keycloak using the client credentials grant. The specified error was : "The specified key is an asymmetric key or x509 certificate and should not be used as an HMAC secret. " I now understand the issue: The refresh token identifies itself as being HS256 encrypted in header so pyjwt raise an error when I try to decrypt it with keycloak public key. The problem is that I am able to decrypt it with the public key when bypassing verification with verify=False to pyjwt.decode. The access token received are identified as RS256 and are fine. Pyjwt behavior with enabled verify is thuscorrect when preventing decode of HS256 tokens with public keys. The problem now seems to be this: Shouldn't it be impossible to decrypt the HS256 refresh token with the public key at all? So it might seem that the refresh tokens are incorrectly labelled as HS256 in header but at truly RS256. Thanks, Eric _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user