How to verify a HS256 signed JWT Token created with Keycloak authentication provider on jwt.io

Question

I am trying to verify a HS256 JWT Token generated with locally ran KeyCloak Authentication Provider on https://jwt.io.

The KeyCloack instance is running on my local machine inside a docker container. I have applied almost the same steps as described in this answer (which on contrary applies the RS algorithm instead, and works as described): https://stackoverflow.com/a/55002225/1534753

My validation procedure is very simple:

1.) Request the token (with Postman) from my local docker KeyCloak instance with: POST requesting http://localhost:8080/auth/realms/dev/protocol/openid-connect/token

2.) Copy the token contents inside the jwt.io's "Encoded" section

3.) I verify that the header and payload are as expected and correct

4.) I copy the client secret from my KeyCloak instance admin dashboard, you can see the reference on the image below:

5.) I paste the secret into the "VERIFY SIGNATURE" section on jwt.io and the "Encoded" token section changes, hence resulting with an invalid signature and a invalid (i.e. different) token.

My core question is what am I missing here? Why does the token change when I apply the expected secret!? Am I applying the right secret, the one from the client? If I understand JWT infrastructre and standard correctly then It should stay the same if the secret (with the expected algorithm applied) is valid. My reasoning is that something with JWT creation on KeyCloak is specific. I have not touched the HS256 algorithm provider on KeyCloak, everything is used as default with the docker installation guide on using KeyCloak. The settings related to the token and algorithm are setup to use HS256, and the algorithm is specified as expected in the JWT's header section correctly which can be verified after the encoded token is pasted into the jwt.io's page.

I need this to work as I am trying to apply the same JWT validation process inside a .NET Core web API application. I have encountered this whole issue in there, i.e. inside the System.IdentityModel.Tokens.JWT and the JwtSecurityTokenHandle.ValidateSignature method which results with an invalid signature and finally resulting in an exception.

On side note, I am accessing the token with Postman and its Authorize feature the configuration can be seen on the image below:

One more side note is I have a user "John" which belongs to my "Demo" realm. I use him to request an access token from KeyCloak.

Answer 1

To get the secret used for signing/verifying HS256 tokens, try using the following SQL:

SELECT value FROM component_config CC INNER JOIN component C ON(CC.component_id = C.id) WHERE C.realm_id = '<realm-id-here>' and provider_id = 'hmac-generated' AND CC.name = 'secret';

If you use the resulting secret to verify the tokens, the signature should match. I’m not sure if this secret is available through the UI, probably not.

Source: https://keycloak.discourse.group/t/invalid-signature-with-hs256-token/3228/3

Answer 2

you can try using Keycloak Gatekeeper. If you want to verify that token in that way you need to change the Client Authenticator to "Signed JWT with client secret", otherwise you can use this "Gatekeeper" option. Here you can read more about it.