Reputation: 24472
How can I configure Keycloak to use HMAC algorithm as default instead of RSA?
I have created a new realm in Keycloak and in the admin tab Keys -> Active I can see three entries: RSA, HMAC, AES.
Whenever a JWT token is generated the signature algorithm used is RSA. How can I use HMAC instead?
Upvotes: 9
Views: 7974
Answers (2)
Reputation: 14531
In Keycloak 20.0.3 you need to go to "Tokens" tab and choose HS256 algorithm:
Upvotes: 1
Reputation: 96
I had the same question and found the following answers:
The latest documentation says that only rsa is supported for access tokens. (http://www.keycloak.org/docs/3.3/server_admin/topics/realms/keys.html)
There is the plan to sign refresh tokens with hmac. Look at this user mailing list entry for more details: "It is not great to sign accessTokens and idTokens by HMAC anyway since the applications will need to have access to realm signing key. As it is symmetric stuff. This can be security hole as then the application can generate and sign tokens by itself. Hence we rather rely on the asymetric cryptography - Keycloak signs tokens with private key and application has just public key to verify signatures." http://lists.jboss.org/pipermail/keycloak-user/2017-May/010809.html
Here is the JIRA for it: https://issues.jboss.org/browse/KEYCLOAK-4623 and internally https://issues.jboss.org/browse/KEYCLOAK-4622
Upvotes: 8
Related Questions
- keycloak initial login does not work with admin username and password
- Globally disable https keycloak
- Keycloak development instance: broken authentication configuration
- Keycloak doesn't offer passwordless authentication as the first option during login
- Disable ssl in Keycloak 20.0.1
- Keycloak Identity Broker: HMACSHA256 Signature not available
- Keycloak SSO Session Max = 0?
- Keycloak RC4-With Hmac
- Setting up Keycloak for authentication
- keycloak admin cli unable to authenticate