Re: [keycloak-user] OpenID Connect support

Hi, On Mon, 20 Oct 2014 12:04:44 -0400 Bill Burke <bburke(a)redhat.com&gt; wrote: > Can't really tell, but maybe your library doesn't like the token > format we send back? Just looking at the 1st exception in the log... > > Log a jira and we can look into it. Our queue is pretty full at the > moment though. I made some more logging, and I think i can identify some wrong values in the ID Token returned by Keycloak This is a sample token by MITREid Connect: {header={"alg":"RS256"}, payload={"aud":["foobar"],"exp":1413824459,... This is a sample token returned by Keycloak: {header={"alg":"RS256"}, payload={"aud":"akvo","azp":"foobar","exp":1413823598,"iat":1413823298,"iss":"akvo","jti":"0cbe4757-90fe-470f-9b86-29bfd9646437","nbf":0,"sub":"0959c25d-535b-4ab4-b533-d70d3db5c758","name":"User Akvo","email":"user@akvo.org","given_name":"User","family_name":"Akvo","preferred_username":"user","email_verified":true}} There are wrong values in the Keycloak [1]: * iss - in Keycloak is returning the Realm name, while needs to be the URL of the issuer [2] * aud - this value must contain the client_id "foobar" in our case, but Keycloak is returning the Realm name. If you you provide some guidance I would like to help on fixing this issue. [1] http://openid.net/specs/openid-connect-basic-1_0-23.html#id.token.validation [2] http://openid.net/specs/openid-connect-basic-1_0-23.html#id_token Cheers,