In the JWT token there is a field 'aud', or audience, which function is to state
for which client(s) that token is intended.
Currently (TokenManager:433) this is set to the client id:
token.audience(client.getClientId());
This seems fine in general, but we would like to have a token with multiple entries in the
audience field. This is possible and an array value is even claimed to be the 'general
case':
https://tools.ietf.org/html/rfc7519#section-4.1.3 (where one single value is
the 'special case')
Background is that we have a Keycloak running for a login of a frontend that talks to
multiple different resource servers. We'd prefer to use one token for all of those
resource servers. The resource servers use Spring Security, which explicitly checks that
the 'name' you give to your Spring service is matched by (a value of) the audience
field of the JWT token. So now we have to give all resource servers the same
'name', which doesn't feel right.
So we need some way to influence the value of the audience field. This could be achieved
by following this RFC:
https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
which suggests to include a parameter to the request for the token. But that RFC does not
consider multiple values for the audience. Another option would be to add an audience
field in the settings of a Client in Keycloak. Which would, if set, define the audience
field of the JWT token. This could be a comma separated string value that would translate
to a JSON array. A question about this could be: 'then where to leave the client
id?'. As suggested by this:
https://stackoverflow.com/questions/32013835/client-id-or-multiple-audien...
the best place to put the client id is in the 'azp' field (authorized party).
<
https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00>Does the KeyCloak
team see this as a valuable addition? Will it be implemented somewhere in the future? Or
can we make a pull request ourselves that will be merged?
Thanks, Erik