[keycloak-user] token introspection endpoint does not accept its URL as audience during signed JWT client auth

Hans Zandbelt hans.zandbelt at zmartzone.eu
Thu Jun 20 00:34:35 EDT 2019


FWIW: the spec is not clear on this case, see a discussion about it here:
https://mailarchive.ietf.org/arch/msg/oauth/Z2QXaIPXvP8BIA0by6ktFSoyKK8
Based on that input I agree with Simon and would suggest to accept both.

Hans.

On Thu, Jun 20, 2019 at 3:45 AM <keycloak-user-request at lists.jboss.org>
wrote:

>
> we think we found a problem when using the token introspection
> endpoint with signed JWT client auth.
>
> In the JWT, audience is set to the URL of the token introspection
> endpoint (we use mod_auth_openidc). However, Keycloak throws an error in
> JWTClientAuthenticator which looks like this:
>
>  Error when validating client assertion: java.lang.RuntimeException: Token
> audience doesn't match domain. Realm issuer is
> 'https://.../auth/realms/master' but audience from token is
> '[https://
> .../auth/realms/master/protocol/openid-connect/token/introspect]'
>
> We found the description of a similar problem in KEYCLOAK-3424 for
> the token endpoint (see [0]).  Here, JWTClientAuthenticator was adapted to
> accept both the issuer as well as the actual token endpoint URL as
> audience.
>
> Now, we are wondering whether that change missed to address the
> token introspection endpoint as well or whether we are doing
> something wrong.
>
>
> [0]
> https://issues.jboss.org/browse/KEYCLOAK-3424?focusedCommentId=13285402&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13285402
>
>
>

-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu


More information about the keycloak-user mailing list