1

I am getting the following error message when trying to authenticate using JWT.

Now, on its face, this error is that I need to set the aud parameter in my JWT to a string - ok, I get that.

However, my IAM, Keycloak, is providing the following:

  "aud": [
    "broker",
    "account"
  ],

Should I be manually changing this to only one of these values? I'm not quite sure what audience does and if I'd be losing information if I just decide to get rid of one of the values.

From my reading:

The audience aud claim in a JWT is meant to refer to the Resource Servers that should accept the token.

I don't think I need either broker or account - how would I change them to something else - a string value?

EDIT:

I just want to set "aud" to a single string value in keycloak. That's it.

EDIT2:

Both the Audience and Audience Resolve protocol mappers add the audiences just to the access token by default. The ID Token typically contains only single audience, which is the client ID of the client for which the token was issued. This is a requirement of the OpenID Connect specification. On the other hand, the access token does not necessarily have the client ID of the client, which was the token issued for, unless any of the audience mappers added it.
Steven Matthews
  • 9,705
  • 45
  • 126
  • 232
  • Keycloak [docs](https://www.keycloak.org/docs/6.0/server_admin/#_audience) talk about this. This question might be a duplicate of [52230634](https://stackoverflow.com/questions/52230634/issuing-api-keys-using-keycloak/53178757#53178757) – identigral Aug 11 '19 at 17:30
  • 1
    I don't think that this is related to the docs or a duplicate. I want to get rid of services and make it so that it's one service as a string, not an array, not map an additional one. I already tried doing that. – Steven Matthews Aug 11 '19 at 18:22
  • In that case please update your question with details of your scenario (app / KeyCloak / service) – identigral Aug 11 '19 at 18:33
  • But it's clear? I want to change aud to just a string. Just one string value, that's it. That's all I want to do. – Steven Matthews Aug 11 '19 at 18:34
  • I don't really know Keycloak that well, sorry. – Steven Matthews Aug 11 '19 at 18:37
  • The implementation in Keycloak depends on your scenario (what you're trying to accomplish in architectural terms). Here's how you set the audience to a string: https://www.keycloak.org/docs/latest/server_admin/#_audience_hardcoded – identigral Aug 11 '19 at 18:41
  • Oh ok. I think the extra keys must be being added by audience resolve, whatever that is. I'll read up more on it. – Steven Matthews Aug 11 '19 at 18:43
  • Thank you, you set me on the right path! Deleting my audience resolve worked! – Steven Matthews Aug 11 '19 at 18:56

1 Answers1

0

The fix for this was that both audience mapping as well as audience resolve contribute roles

Steven Matthews
  • 9,705
  • 45
  • 126
  • 232