[keycloak-user] OpenID Connect support
Iván Perdomo
ivan at akvo.org
Mon Oct 20 13:22:24 EDT 2014
Hi,
On Mon, 20 Oct 2014 12:04:44 -0400
Bill Burke <bburke at redhat.com> wrote:
> Can't really tell, but maybe your library doesn't like the token
> format we send back? Just looking at the 1st exception in the log...
>
> Log a jira and we can look into it. Our queue is pretty full at the
> moment though.
I made some more logging, and I think i can identify some wrong values
in the ID Token returned by Keycloak
This is a sample token by MITREid Connect:
{header={"alg":"RS256"},
payload={"aud":["foobar"],"exp":1413824459,"iat":1413823859,"iss":"https://login.akvotest.org/mitreid/","sub":"01921.FLANRJQW"}}
This is a sample token returned by Keycloak:
{header={"alg":"RS256"},
payload={"aud":"akvo","azp":"foobar","exp":1413823598,"iat":1413823298,"iss":"akvo","jti":"0cbe4757-90fe-470f-9b86-29bfd9646437","nbf":0,"sub":"0959c25d-535b-4ab4-b533-d70d3db5c758","name":"User
Akvo","email":"user at akvo.org","given_name":"User","family_name":"Akvo","preferred_username":"user","email_verified":true}}
There are wrong values in the Keycloak [1]:
* iss - in Keycloak is returning the Realm name, while needs to be the
URL of the issuer [2]
* aud - this value must contain the client_id "foobar" in our case, but
Keycloak is returning the Realm name.
If you you provide some guidance I would like to help on fixing this
issue.
[1]
http://openid.net/specs/openid-connect-basic-1_0-23.html#id.token.validation
[2] http://openid.net/specs/openid-connect-basic-1_0-23.html#id_token
Cheers,
--
Iván
More information about the keycloak-user
mailing list