I have the following setup with a keycloak authentication server and an application:
- user logs in on application client side, send un/pw to server
- application server sends un/pw to keycloak server for a token
- keycloak server sends a token back to application server
- application server outputs web page with sensitive data
I want to use RS256 to sign my tokens. When I try to get a token on the client side, they are correctly signed with RS256, but as soon as I try to get one on the application server, HS256 is used. How can I set keycloak to use RS256 in both cases?
I use the /auth/realms/{REALM_NAME}/protocol/openid-connect/token endpoint and keycloak 10.0.1.
Keycloak configuration:
- keys
- default signing algorithm for the realm is set to RS256
- first config: realm keys are HS256, AES, and RS256 (listed in this order) all with a priority of 100
- second config: I set the RS256 key priority to a higher value, but HS256 is used
- as a last try, I made every other key passive in the realm. When signing a token, keycloak just generated a "fallback hs256" key to use instead of the active rs256.
- client
- access token signature algorithm and ID token signature algorithm for the client are set to RS256
- the client is public
- Valid redirect URIs contain the domain where the application server is currently running (which is localhost but my computer has a domain name)
- Web origins is set to "+" (which as far as I'm aware copies entries from valid red. uris)
Request:
- Origin, Referer, and Content-Type headers match in app client and app server requests
- both the browser and postman work as clients as expected
- app server is php and I use curl to make post requests (client also makes post requests)
- both the client and the app server run on local machine
Google seems to return no results related to my problem. Restarting the keycloak server after modifying any settings also doesn't seem to bring any results, so I assume any changes I made are automatically used.
