Re: [keycloak-user] OpenID Connect support

Monday, 20 October 2014

Hi,

On Mon, 20 Oct 2014 12:04:44 -0400
Bill Burke <bburke(a)redhat.com&gt; wrote:

...
 Can't really tell, but maybe your library doesn't like the
token
 format we send back?  Just looking at the 1st exception in the log...

 Log a jira and we can look into it.  Our queue is pretty full at the 
 moment though. 
I made some more logging, and I think i can identify some wrong values
in the ID Token returned by Keycloak

This is a sample token by MITREid Connect:

{header={"alg":"RS256"},
payload={"aud":["foobar"],"exp":1413824459,...

This is a sample token returned by Keycloak:

{header={"alg":"RS256"},
payload={"aud":"akvo","azp":"foobar","exp":1413823598,"iat":1413823298,"iss":"akvo","jti":"0cbe4757-90fe-470f-9b86-29bfd9646437","nbf":0,"sub":"0959c25d-535b-4ab4-b533-d70d3db5c758","name":"User
Akvo","email":"user@akvo.org","given_name":"User","family_name":"Akvo","preferred_username":"user","email_verified":true}}

There are wrong values in the Keycloak [1]:

* iss - in Keycloak is returning the Realm name, while needs to be the
  URL of the issuer [2]
* aud - this value must contain the client_id "foobar" in our case, but
  Keycloak is returning the Realm name.

If you you provide some guidance I would like to help on fixing this
issue.

[1]
http://openid.net/specs/openid-connect-basic-1_0-23.html#id.token.validation
[2] http://openid.net/specs/openid-connect-basic-1_0-23.html#id_token

Cheers,

-- 
Iván

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

Re: [keycloak-user] OpenID Connect support