Hi Folks,
As per the security need we need to provide the functionality of rotating keys. The access
token is using RAS256 as key algorithm, but looks like the Keycloak signs the refresh
token with a different algorithm by using HMAC (HS256). We have use case of offline tokens
and would like to get new offline token when the key rotates. Is it possible to sign the
refresh token with the same key as access token? The problem is we can only revoke refresh
token – there is no way to rotate the refresh token key. Please advise? What do folks
usually do?
Shweta
Show replies by date