NiFi Registry OIDC: IllegalArgumentException (RS256 vs HS256) when passing Keycloak Access Token directly to API

TyTheNiFiGuy — Fri, 02 Jan 2026 20:32:52 GMT

Environment:
NiFi Registry: [2.4.0]
Deployment: Kubernetes, Helm, Zarf
Authentication: OIDC via Keycloak
Client: Golang automation job running in the cluster

Goal: I am running a Golang job in Kubernetes to perform initial configuration of the NiFi Registry (creating buckets/flows). The job fetches an Access Token from Keycloak and sends it in the Authorization: Bearer header to the Registry API endpoint: GET /nifi-registry-api/access.

Issue: The request fails with a 401, and the NiFi Registry logs show an IllegalArgumentException indicating an algorithm mismatch in the JWT signature validation

The logs related to this request are attached.Analysis of these logs

The Access Token issued by Keycloak is signed using RS256 (asymmetric RSA), which requires a public key to verify. However, the stack trace explicitly shows an IllegalArgumentException stating that the validation logic cannot handle asymmetric algorithms. It seems that the Registry's JwtIdentityProvider is attempting to validate the incoming token using HMAC.

We don't see this mismatch with NiFi itself, only the NiFi registry. We are able to do configuration and setup on the NiFi application, but when trying to access NiFi Registry with a token from keycloak, we see this token error.

Is there a way to configure the registry to accept RS256 tokens? Is there an alternative approach to making requests against the NiFi Registry using some sort of service account? We need to have the NiFi Registry configured with keycloak, but we also need this configuration job to run at deployment time to do setup. We won't have users created through the UI yet that we can leverage.

I can also post the decoded token contents if that helps, but it seems like it's an issue with the actual token signing algorithms and not the content of the token. At least that's my assumption.

Re: NiFi Registry OIDC: IllegalArgumentException (RS256 vs HS256) when passing Keycloak Access Token directly to API

vafs — Mon, 05 Jan 2026 21:44:02 GMT

Hello @TyTheNiFiGuy,

Thanks for being part of our community.

I was checking that NiFi Registry does not have support for asymmetric RSA such as RS256.
That is a limitation itself, and not a problem in your token.

The log do tell this:

2026-01-02 18:22:27,220 INFO [NiFi logging handler] org.apache.nifi.registry.StdOut Caused by: java.lang.IllegalArgumentException: The default resolveSigningKey(JwsHeader, Claims) implementation cannot be used for asymmetric key algorithms (RSA, Elliptic Curve).  Override the resolveSigningKey(JwsHeader, Claims) method instead and return a Key instance appropriate for the RS256 algorithm.

Checking the code, I see that only HS256 is supported:
private static final MacAlgorithm SIGNATURE_ALGORITHM = Jwts.SIG.HS256;
https://github.com/apache/nifi/blob/9998b6d9ce21a66db240ff6131fc882002285e8b/nifi-registry/nifi-registry-core/nifi-registry-web-api/src/main/java/org/apache/nifi/registry/web/security/authentication/jwt/JwtService.java#L53C1-L54C1

question Re: NiFi Registry OIDC: IllegalArgumentException (RS256 vs HS256) when passing Keycloak Access Token directly to API in Support Questions

NiFi Registry OIDC: IllegalArgumentException (RS256 vs HS256) when passing Keycloak Access Token directly to API

Re: NiFi Registry OIDC: IllegalArgumentException (RS256 vs HS256) when passing Keycloak Access Token directly to API