Is it possible to use RSA-512 instead of RSA-256 at Keycloak?

888 views Asked by At

I guess Keycloak has predefined algorithms/Active Keys such like RSA256,AES and HS256?

Is it possible to use RSA512 instead of RSA256?

Thank you for your kind helps

2

There are 2 answers

0
Paul Lysak On BEST ANSWER

In addition to the rsa-generated provider settings, you may need to go to "Client details" -> "Advanced" -> "Fine grain OpenID Connect configuration" and specify RS512 in "Access token signature algorithm" and "ID token signature algorithm". Otherwise, Keycloak creates fallback-RS256 provider and keeps using RS256 protocol

0
zaerymoghaddam On

You're right. It has some predefined algorithms and keys. But you can change their settings and force Keycloak to use RSA512. In order to do so, in your realm settings, go to the "Keys" tab and select "Providers" sub-tab. There you can click on the "Edit" button of the rsa-generated provider (that exists by default) and change its algorithm or key size to another value. In short:

Realm Settings > Keys > Providers > Edit (of rsa-generated row)

In the providers list, you have also the option to upload your own keystore with proper private key that is using the algorithm you prefer.