[keycloak-user] Audience claim in Keycloak access tokens

Pedro Igor Silva psilva at redhat.com
Tue Aug 13 08:24:01 EDT 2019 

Hi,

The reasoning behind this change is that we are now more aligned with the
OAuth2 specs. This is especially true when you are using code grant, where
your client, acting on behalf of the user, is using the access token to
access protected resources at the resource server. Including the client in
the list of audiences by default does not make sense and we fixed that. Now
you have more control over the audience of your access tokens.

The audience should be calculated based on the scopes being requested and,
in the case of Keycloak, also based on the client roles granted to a user.

I think we also have plans to add support for resource indicators so that
clients can explicitly request where the token will be used as well as
perform any additional logic/policies before issuing tokens.

Regards.
Pedro Igor

On Mon, Aug 12, 2019 at 3:07 AM Peemöller, Björn <
Bjoern.Peemoeller at berenberg.de> wrote:

> Hi everyone,
>
> I have some questions about the audience claim in JWT and how they are
> handled in Keycloak, maybe someone can help me?
>
> During an upgrade of our Keycloak instances from 4.1.0 to 6.0.1, we
> discovered that the handling of the audience claim changed for at least the
> following scenario:
>
>
> -       A technical (service) user obtains a token for the client clientA
> using the endpoint /realms/{realm-name}/protocol/openid-connect/token
>
> -       In the scope mappings of client A, the client roles of client
> clientB are added
>
> Using Keycloak 4.1.0, the returned JWT contains
>
> ...
> "aud": "clientA",
> "azp": "clientA",
> ...
>
> while using Keycloak 6.0.1, the JWT contains
>
> ...
> "aud": "clientB",
> "azp": "clientA",
> ...
>
> While I understand that the second variant better allows to securely use
> the token also for client clientB, the token can no longer be used for the
> clientA if the client validates the token's audience, although the client
> was explicitly requested for clientA.
>
> The Keycloak documentation [1] says that the client for which the token is
> issued will not be contained in the audience of the access token but can be
> added using the hardcoded audience mapper, which indeed leads to the claims
>
> ...
> "aud": [
> "clientA",
> "clientB",
> ],
> "azp": "clientA",
> ...
>
> Now my questions: What is the rationale behind this behavioral change from
> Keycloak 4.1.0 to Keycloak 6.0.1? Why is the client for which the token is
> issued not included in the access token's audience? I mean, finally, it is
> the client the token is requested for.
>
> Many thanks in advance,
> Björn
>
> [1]: https://www.keycloak.org/docs/latest/server_admin/#_audience
>
>
> Bei Berenberg hat der Schutz Ihrer Daten seit jeher höchste Priorität.
> Informationen zum Umgang mit personenbezogenen Daten finden Sie hier:
> https://www.berenberg.de/files/Rechtliche%20Hinweise/DSGVO/DSGVO-Kundeninformation%20-%20Binder%20-%20D.pdf
> Diese Nachricht einschliesslich etwa beigefuegter Anhaenge ist vertraulich
> und kann dem Bank- und Datengeheimnis unterliegen oder sonst rechtlich
> geschuetzte Daten und Informationen enthalten. Wenn Sie nicht der richtige
> Adressat sind oder diese Nachricht irrtuemlich erhalten haben, informieren
> Sie bitte sofort den Absender über die Antwortfunktion. Anschliessend
> moechten Sie bitte diese Nachricht einschliesslich etwa beigefuegter
> Anhaenge unverzueglich vollstaendig loeschen. Das unerlaubte Kopieren oder
> Speichern dieser Nachricht und/oder der ihr etwa beigefuegten Anhaenge
> sowie die unbefugte Weitergabe der darin enthaltenen Daten und
> Informationen sind nicht gestattet. Wir weisen darauf hin, dass
> rechtsverbindliche Erklaerungen namens unseres Hauses grundsaetzlich der
> Unterschriften zweier ausreichend bevollmaechtigter Vertreter unseres
> Hauses beduerfen. Wir verschicken daher keine rechtsverbindlichen
> Erklaerungen per E-Mail an Dritte. Demgemaess nehmen wir per E-Mail auch
> keine rechtsverbindlichen Erklaerungen oder Auftraege von Dritten entgegen.
> Sollten Sie Schwierigkeiten beim Oeffnen dieser E-Mail haben, wenden Sie
> sich bitte an den Absender oder an info at berenberg.de. Unsere Hinweise zum
> Schutz personenbezogener Daten finden Sie unter
> https://www.berenberg.de/files/Rechtliche+Hinweise/DSGVO/DSGVO-Kundeninformation-Binder+DE+2018-04+L.pdf
> .
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

More information about the keycloak-user mailing list