Add client-id to audience (Keycloak #1916)¶
Bug
The audience in your token is supposed to include the client-id of your oauth2-proxy. Currently, there is a bug in
Keycloak OIDC provider (see #1916 ) thus, roles configuration from keycloak is not enough, you have to manually create
a mapper in your client scope to add a hardcoded claim, matching your client-id.
Note
More information in keycloak documentation: Hardcoded audience There is no way to disable audience check in oidc, it would be a security hole, because any token for another service of your Keycloak would permit access to this backend!
Create a Client Scope¶
- In the left sidebar, click on
Client Scopes. - Click on
Create. - Enter the following details and
Save
| Field | Value |
|---|---|
| Name | audience-scope |
| Description | Audience Mapper Scope |
Add a Mapper to Client Scope¶
Note
The "Audience" mapper type in Keycloak is used to add specific audiences to the aud (audience) claim of a token.
The audience claim identifies the recipients that the token is intended for. This is particularly useful when a token
is intended to be used by multiple services or clients, ensuring that only the intended recipients accept the token.
- Select the newly created
audience-scope - Go to the
Mapperstab. - Click on
Configure a new mapper. - Configure the mapper as follows and
Save:
| Field | Value |
|---|---|
| Name | audience |
| Mapper Type | Audience |
| Included Client Audience | mkdocs-client |
| Add to ID token | ON |
| Add to access token | ON |
Assign Client Scope to Client¶
- In the left sidebar, click
Clients. - Select
mkdocs-client - Go to the
Client Scopestab. - Click
Add client scope - Add
audience-scope - Ensure that
audience-scopeis listed under theAssigned Default Client Scopes.