[keycloak-dev] Usage of "aud" claim in access tokens

Schuster Sebastian (INST/ESY1) Sebastian.Schuster at bosch-si.com
Mon Jun 26 07:41:39 EDT 2017 

Hi everybody,

While playing around with the authorization api and the photoz example I noticed the aud claim in the access token contained the client_id of the RP similar to the ID token. This was not quite what I expected. The client is the intended consumer of the ID token as per spec: “Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value.” So everything is fine here.

The consumer of the access token is in my opinion the resource server granting access based on content of the access token (in the case of opaque tokens, the client can’t even read the access token). Per JWT spec: “The "aud" (audience) claim identifies the recipients that the JWT is intended for.  Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim then this claim is present, then the JWT MUST be rejected.”

Therefore, for my access token of the photos example having the client id in the “aud” claim:
{
  "jti": "ad02bc48-ee9c-4480-b8d2-ca57547c8026",
  "exp": 1498475985,
  "nbf": 0,
  "iat": 1498475685,
  "iss": "http://localhost:8180/auth/realms/photoz",
  "aud": "photoz-html5-client",
  "sub": "73c303f1-7088-4f09-85c3-bd39a736c833",
  "typ": "Bearer",
  "azp": "photoz-html5-client",
  "nonce": "02df304b-199b-4dd8-923d-9cf470d1129a",
  "auth_time": 1498475685,
  "session_state": "e202b205-15bd-43c8-9fbd-cd602d0708f0",
  "acr": "1",
  "allowed-origins": [
    "*"
  ],
  "realm_access": {
    "roles": [
      "uma_authorization",
      "user"
    ]
  },
  "resource_access": {
    "photoz-restful-api": {
      "roles": [
        "manage-albums"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "name": "Alice In Chains",
  "preferred_username": "alice",
  "given_name": "Alice",
  "family_name": "In Chains",
  "email": "alice at keycloak.org"
}

I would have expected an audience claim like “aud”:[“photoz-restful-api”, “account”, “http://localhost:8180/auth/realms/photoz”] (the first two for the resource servers defining the roles, the last one for the entire realm and the realm roles).

What do you think?

Best regards,
Sebastian



Mit freundlichen Grüßen / Best regards

Sebastian Schuster

Engineering and Support (INST/ESY1)
Bosch Software Innovations GmbH | Schöneberger Ufer 89-91 | 10785 Berlin | GERMANY | www.bosch-si.com<http://www.bosch-si.com>
Tel. +49 30 726112-485 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com<mailto:Sebastian.Schuster at bosch-si.com>

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
Geschäftsführung: Dr.-Ing. Rainer Kallenbach, Michael Hahn

More information about the keycloak-dev mailing list