I tested with libraries based on Apache Oltu and even I noticed that realm name is being
sent in the Idtoken under "iss". "aud" is null when I included
multiple redirect Uris which is breaking the validation (as per openid spec).
"azp" is not being sent (it is optional unless more than 1 client is registered)
- expect that to be sent once I register two clients.
Used /account for userinfo end point that didn't work. Will provide more feedback as I
continue to test
Fyi -My libraries were tested completely against a server implementation based on
Mitre's open Id connect and they are good.
Sent from my iPhone
On Oct 20, 2014, at 2:24 PM, Iván Perdomo <ivan(a)akvo.org>
On Mon, 20 Oct 2014 13:57:44 -0400
Bill Burke <bburke(a)redhat.com> wrote:
> I thought the issuer was the realm. I guess its not....Also looks
> like we'll need to have one URL to process all realm oidc requests as
> the ISS is validated.
> Does this library offer any encryption/signature options for the ID
The library validating the token is Google's OAuth Client Library
, the piece of code calling that library 
keycloak-user mailing list