[keycloak-user] Motivation behind the removal of client_id from "aud" in the JWT

Stian Thorgersen sthorger at redhat.com
Tue Nov 27 01:17:05 EST 2018


The ID token which is aimed at the RP (authenticating application) includes
the RP client in the audience. The access token which is aimed at invoking
external services doesn't include this by default.

On Mon, 26 Nov 2018, 22:22 Lamina, Marco <marco.lamina at sap.com wrote:

> I've encountered a similar issue when switching from 4.5 to 4.6:
> http://lists.jboss.org/pipermail/keycloak-user/2018-November/016445.html
>
> I've been using the audience token mapper, which stopped working after the
> upgrade. Maybe these issues are related?
>
>
> On 11/26/18, 9:01 AM, "keycloak-user-bounces at lists.jboss.org on behalf
> of Cristian Schuszter" <keycloak-user-bounces at lists.jboss.org on behalf
> of cristian.schuszter at cern.ch> wrote:
>
>     Hi!
>
>     We just updated from release 4.5.0 to 4.6.0 and discovered that the
>     "aud" field has been changed to "aud": "account", rather than the
>     client-id of the application.
>
>     After a bit of digging, we found the commit and associated pull
> request
>     for the change:
>
> https://github.com/keycloak/keycloak/commit/f67d6f96607e51b1839501203342faf9f6987503#diff-d45230ec2a55480bbaf022aee366e898R85
>
>     Unfortunately, *KEYCLOAK-8482* issue seems to be hidden, as I couldn't
>     find it on the Jira board.
>
>     We were counting on the "client_id" being present in the audiences, as
>     the Microsoft.NET core validators target specifically the audiences in
>     the JWT token, with no option of targeting the "azp" field.
>
>     Could anybody shed some light as to why the *client_id* was removed
> from
>     the audiences?
>
>
>     Best regards,
>
>     Cristian Schuszter
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


More information about the keycloak-user mailing list