For RSA (asymmetric), you can retrieve public key from the Admin console (realm > Keys
> RSA > Public key). It's only the pubkey that is needed for RSA signature
For symmetric algorithms, namely AES and HMAC, you should use the direct SQL query:
SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = C.id)
WHERE provider_id = 'hmac-generated' AND CC.name = 'secret';
(similarly for 'aes-generated')
However, seems like none of the online JWT debuggers, neither https://jsonwebtoken.io
, understand Keycloak's symmetric keys. The former simply fails every
time, and the latter, instead of verifying the signature, simply regenerates it with the
key supplied. I was only able to verify RSA signature using https://jwt.io
and RSA pubkey
retrieved from Keycloak. The only pitfall is that you need to enclose the pubkey in
-----BEGIN RSA PUBLIC KEY----- and -----END RSA PUBLIC KEY-----.
As the online services seem to be not much reliable, I'd suggest that you try using
one of the many libraries to verify the token yourself.
CTO, Acutus s.r.o.
Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
On Wed, 2018-12-26 at 14:14 +0100, Bruno Mairlot wrote:
Dear List Members,
I am working on implementing a Single Sign On with keycloak and I have
implemented the Standard Flow, I can exchange the Authorization Grant to
receive the tokens, but I cannot find a way to verify them.
Each time I try to check the token, classical tools like jwt.io or
says the signature is incorrect.
I would like to know, which secret does Keycloak use to sign (with
HS256) the tokens ? And where can I find it ?
I tried the client secret, but it seems wrong to me.
Many thanks for your help,
keycloak-user mailing list