How can I configure Keycloak to use HMAC algorithm as default instead of RSA?

Question

I have created a new realm in Keycloak and in the admin tab Keys -> Active I can see three entries: RSA, HMAC, AES.

Whenever a JWT token is generated the signature algorithm used is RSA. How can I use HMAC instead?

Answer 1

I had the same question and found the following answers:

The latest documentation says that only rsa is supported for access tokens. (http://www.keycloak.org/docs/3.3/server_admin/topics/realms/keys.html)

There is the plan to sign refresh tokens with hmac. Look at this user mailing list entry for more details: "It is not great to sign accessTokens and idTokens by HMAC anyway since the applications will need to have access to realm signing key. As it is symmetric stuff. This can be security hole as then the application can generate and sign tokens by itself. Hence we rather rely on the asymetric cryptography - Keycloak signs tokens with private key and application has just public key to verify signatures." http://lists.jboss.org/pipermail/keycloak-user/2017-May/010809.html

Here is the JIRA for it: https://issues.jboss.org/browse/KEYCLOAK-4623 and internally https://issues.jboss.org/browse/KEYCLOAK-4622