=== Exploit against fixed Keycloak (keycloak-fixed-cve11800) === Admin token obtained. Create realm: 201 Realm issuer: http://localhost:8080/realms/test-realm RSA key pair generated. DER bytes: 294 Create IdP: 201 Create client: 201 Create user: 201 Forged JWT header: {"alg": "HS256", "typ": "JWT"} Forged JWT payload: {"jti": "1b8fd6f6-0636-481c-aca1-caca7de4fe74", "iss": "https://authorization-grant-issuer", "sub": "basic-user-id", "aud": "http://localhost:8080/realms/test-realm", "exp": 1783266068, "iat": 1783265768} HMAC secret = RSA public key DER bytes (294 bytes) Submitting HS256 assertion to token endpoint... Response status: 400 fixed: HS256 assertion REJECTED. Error: invalid_grant, Description: Invalid signature algorithm