Access keys signed with HS256 instead of RS256

Configuring the server
1

Hi!

My keycloak signs access tokens with HS256 even though I think I’ve configured my server correctly so that it signs them with RS256.
I would like to force it to sign using RS256 so that I can verify the signatures with the RS256 public key.

Here are the different keys on my server. I tried to remove the HS256 key but when it needs to sign an access token, it automatically recreates one:

keys
keys1443×602 40.4 KB

Despite my configuration in :
Realm settings → Tokens → Default Signature Algorithm: RS256

I use keycloak 23.0.6.

Here’s a stackoverflow link from someone who seems to have a similar problem to mine:

2

Did you ever find a solution? I just got dinged on a penetration test that I should not be using HS256. Like you I have the default token algorithm set to RS256.

3

Hi everyone, I have the same issue.
I want JWT tokens signed with RS256 but I’m getting HS512

1 Like
4

Hi,
If someone is still facing the issue, you have to change settings of your client. Click on the client and go to the “Advanced” tab. Under the section " Fine grain OpenID Connect configuration", change the value of the field “Access token signature algorithm” to “RS256”.

6

I am facing similar issue. I perform steps cited by ‘deeppat’ user and still see same error. Was there any other steps required?