10:49 a.m.
Hi!
We just updated from release 4.5.0 to 4.6.0 and discovered that the
"aud" field has been changed to "aud": "account", rather
than the
client-id of the application.
After a bit of digging, we found the commit and associated pull request
for the change:
https://github.com/keycloak/keycloak/commit/f67d6f96607e51b1839501203342f...
Unfortunately, *KEYCLOAK-8482* issue seems to be hidden, as I couldn't
find it on the Jira board.
We were counting on the "client_id" being present in the audiences, as
the Microsoft.NET core validators target specifically the audiences in
the JWT token, with no option of targeting the "azp" field.
Could anybody shed some light as to why the *client_id* was removed from
the audiences?
Best regards,
Cristian Schuszter
3:14 p.m.
I've encountered a similar issue when switching from 4.5 to 4.6:
http://lists.jboss.org/pipermail/keycloak-user/2018-November/016445.html
I've been using the audience token mapper, which stopped working after the upgrade.
Maybe these issues are related?
On 11/26/18, 9:01 AM, "keycloak-user-bounces(a)lists.jboss.org on behalf of Cristian
Schuszter" <keycloak-user-bounces(a)lists.jboss.org on behalf of
cristian.schuszter(a)cern.ch> wrote:
Hi!
We just updated from release 4.5.0 to 4.6.0 and discovered that the
"aud" field has been changed to "aud": "account", rather
than the
client-id of the application.
After a bit of digging, we found the commit and associated pull request
for the change:
https://github.com/keycloak/keycloak/commit/f67d6f96607e51b1839501203342f...
Unfortunately, *KEYCLOAK-8482* issue seems to be hidden, as I couldn't
find it on the Jira board.
We were counting on the "client_id" being present in the audiences, as
the Microsoft.NET core validators target specifically the audiences in
the JWT token, with no option of targeting the "azp" field.
Could anybody shed some light as to why the *client_id* was removed from
the audiences?
Best regards,
Cristian Schuszter
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
12:17 a.m.
The ID token which is aimed at the RP (authenticating application) includes
the RP client in the audience. The access token which is aimed at invoking
external services doesn't include this by default.
On Mon, 26 Nov 2018, 22:22 Lamina, Marco <marco.lamina(a)sap.com wrote:
I've encountered a similar issue when switching from 4.5 to 4.6:
http://lists.jboss.org/pipermail/keycloak-user/2018-November/016445.html
I've been using the audience token mapper, which stopped working after the
upgrade. Maybe these issues are related?
On 11/26/18, 9:01 AM, "keycloak-user-bounces(a)lists.jboss.org on behalf
of Cristian Schuszter" <keycloak-user-bounces(a)lists.jboss.org on behalf
of cristian.schuszter(a)cern.ch> wrote:
Hi!
We just updated from release 4.5.0 to 4.6.0 and discovered that the
"aud" field has been changed to "aud": "account",
rather than the
client-id of the application.
After a bit of digging, we found the commit and associated pull
request
for the change:
https://github.com/keycloak/keycloak/commit/f67d6f96607e51b1839501203342f...
Unfortunately, *KEYCLOAK-8482* issue seems to be hidden, as I couldn't
find it on the Jira board.
We were counting on the "client_id" being present in the audiences, as
the Microsoft.NET core validators target specifically the audiences in
the JWT token, with no option of targeting the "azp" field.
Could anybody shed some light as to why the *client_id* was removed
from
the audiences?
Best regards,
Cristian Schuszter
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
2:30 a.m.
On 26/11/2018 17:49, Cristian Schuszter wrote:
Hi!
We just updated from release 4.5.0 to 4.6.0 and discovered that the
"aud" field has been changed to "aud": "account", rather
than the
client-id of the application.
After a bit of digging, we found the commit and associated pull request
for the change:
https://github.com/keycloak/keycloak/commit/f67d6f96607e51b1839501203342f...
Unfortunately, *KEYCLOAK-8482* issue seems to be hidden, as I couldn't
find it on the Jira board.
We were counting on the "client_id" being present in the audiences, as
the Microsoft.NET core validators target specifically the audiences in
the JWT token, with no option of targeting the "azp" field.
The client_id is still present in the ID Token by default. In the access
token it is not present by default now. However per OIDC/OAuth2
specification, the access token is just the opaque string. In theory,
you shouldn't assume any specific format of our access token when using
it with 3rd party adapter.
If you really need to add client_id to the "aud" field, you can achieve
it by adding Audience protocol mapper to your client and add the
client_id of your client to it. This will defacto add the "hardcoded"
client_id to the token.
Marek
Could anybody shed some light as to why the *client_id* was removed from
the audiences?
Best regards,
Cristian Schuszter
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
1994
days inactive
2003
days old
3 comments
4 participants
participants (4)
-
Cristian Schuszter -
Lamina, Marco -
Marek Posolda -
Stian Thorgersen