ForgeRock Identity Platform
Does not apply to Identity Cloud

Security scan shows use of SHA-1 in Utils class in AM (All versions)

Last updated Jan 16, 2023

The purpose of this article is to provide information to help you understand why a security/vulnerability scan shows the use of SHA-1 in the Utils class in AM, specifically referring to org.forgerock.oauth2.core.Utils#getKid.

1 reader recommends this article


Some security or vulnerability scans may flag the use of SHA-1 (an insecure hashing algorithm) in the class, with specific reference to the org.forgerock.oauth2.core.Utils#getKid method.

Recent Changes



The Utils class in OAuth2 uses SHA-1 to create an identifier (kid value) based on the hash of the public key (org.forgerock.oauth2.core.Utils#getKid). There are no security implications to this SHA-1 usage since no secret or confidential information is hashed during this process.


Changing the hash algorithm would invalidate previously signed or encrypted material such as stateless OAuth2 access tokens, OpenID Connect ID tokens and other security tokens.


Reports of this particular use of SHA-1 can be safely ignored.

See Also


Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.