keycloak-core is vulnerable to timing attacks. The vulnerability is possible because the HMAC signature comparison algorithm used by its JWS token code is not performed in constant time. Therefore, an attacker can trigger a timing attack through the JWS tokens.