Keycloak-gatekeeper: 'aud' claim and 'client_id' do not match

keycloak keycloak-gatekeeper
arkadiy picture arkadiy · Nov 30, 2018 · Viewed 18.4k times · Source

What is the correct way to set the aud claim to avoid the error below?

unable to verify the id token   {"error": "oidc: JWT claims invalid: invalid claims, 'aud' claim and 'client_id' do not match, aud=account, client_id=webapp"}

I kinda worked around this error message by hardcoding aud claim to be the same as my client_id. Is there any better way?

Here is my docker-compose.yml:

version: '3'
services:
  keycloak-proxy:
    image: "keycloak/keycloak-gatekeeper"
    environment:
     - PROXY_LISTEN=0.0.0.0:3000
     - PROXY_DISCOVERY_URL=http://keycloak.example.com:8181/auth/realms/realmcom
     - PROXY_CLIENT_ID=webapp
     - PROXY_CLIENT_SECRET=0b57186c-e939-48ff-aa17-cfd3e361f65e
     - PROXY_UPSTREAM_URL=http://test-server:8000
    ports:
      - "8282:3000"
    command:
      - "--verbose"
      - "--enable-refresh-tokens=true"
      - "--enable-default-deny=true"
      - "--resources=uri=/*"
      - "--enable-session-cookies=true"
      - "--encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j"
  test-server:
    image: "test-server"

Answer

rfs picture rfs · Dec 5, 2018

With recent keycloak version 4.6.0 the client id is apparently no longer automatically added to the audience field 'aud' of the access token. Therefore even though the login succeeds the client rejects the user. To fix this you need to configure the audience for your clients (compare doc [2]).

Configure audience in Keycloak

  • Add realm or configure existing
  • Add client my-app or use existing
  • Goto to the newly added "Client Scopes" menu [1]
    • Add Client scope 'good-service'
    • Within the settings of the 'good-service' goto Mappers tab
      • Create Protocol Mapper 'my-app-audience'
        • Name: my-app-audience
        • Choose Mapper type: Audience
        • Included Client Audience: my-app
        • Add to access token: on
  • Configure client my-app in the "Clients" menu
    • Client Scopes tab in my-app settings
    • Add available client scopes "good-service" to assigned default client scopes

If you have more than one client repeat the steps for the other clients as well and add the good-service scope. The intention behind this is to isolate client access. The issued access token will only be valid for the intended audience. This is thoroughly described in Keycloak's documentation [1,2].

Links to recent master version of keycloak documentation:

Links with git tag:

Related questions

How to redirect keyclock to application's page and get token

I am using keycloak's login and registration page. For login I use: keycloak.init({onLoad: 'login-required'}).then(function (authenticated) { if (!authenticated) { } else{ } This works fine as I can use the code above to redirect to the application page with token …

Read More
keycloak Invalid parameter: redirect_uri

When I am trying to hit from my api to authenticate user from keycloak, but its giving me error Invalid parameter: redirect_uri on keycloak page. I have created my own realm apart from master. keycloak is running on http. …

Read More
What are Keycloak's OAuth2 / OpenID Connect endpoints?

We are trying to evaluate Keycloak as an SSO solution, and it looks good in many respects, but the documentation is painfully lacking in the basics. For a given Keycloak installation on http://localhost:8080/ for realm test, what are the …

Read More