Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-4622

Use HS256 for refresh tokens

    XMLWordPrintable

    Details

    • Type: Enhancement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 3.0.0.CR1
    • Fix Version/s: 4.5.0.Final
    • Component/s: None
    • Labels:

      Description

      Currently we sign refresh tokens with RSA. We can probably save some performance points by using HMAC for refresh tokens instead, since it's the Keycloak itself which signs and verifies it and from the adapter perspective, refresh token is just an opaque string.

      We should just make sure that when this is changed, offline tokens migrated from previous versions will still work. We can probably support both RSA and HMAC for verifying tokens and decide based on the JWT header.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              stianst Stian Thorgersen
              Reporter:
              mposolda Marek Posolda
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: