Keycloak-gatekeeper: 'aud' claim and 'client_id' do not match

keycloak keycloak-gatekeeper
37,770

Solution 1

With recent keycloak version 4.6.0 the client id is apparently no longer automatically added to the audience field 'aud' of the access token. Therefore even though the login succeeds the client rejects the user. To fix this you need to configure the audience for your clients (compare doc [2]).

Configure audience in Keycloak

  • Add realm or configure existing
  • Add client my-app or use existing
  • Goto to the newly added "Client Scopes" menu [1]
    • Add Client scope 'good-service'
    • Within the settings of the 'good-service' goto Mappers tab
      • Create Protocol Mapper 'my-app-audience'
        • Name: my-app-audience
        • Choose Mapper type: Audience
        • Included Client Audience: my-app
        • Add to access token: on
  • Configure client my-app in the "Clients" menu
    • Client Scopes tab in my-app settings
    • Add available client scopes "good-service" to assigned default client scopes

If you have more than one client repeat the steps for the other clients as well and add the good-service scope. The intention behind this is to isolate client access. The issued access token will only be valid for the intended audience. This is thoroughly described in Keycloak's documentation [1,2].

Links to recent master version of keycloak documentation:

Links with git tag:

Solution 2

This is due to a bug: https://issues.jboss.org/browse/KEYCLOAK-8954

There are two workarounds described in the bug report, both of which appear to do basically the same thing as the accepted answer here but can be applied to the Client Scope role, so you don't have to apply them to every client individually.

Solution 3

If, like me, you want to automate the keycloak config, you can use kcadm

/opt/jboss/keycloak/bin/kcadm.sh \
        create clients/d3170ee6-7778-413b-8f41-31479bdb2166/protocol-mappers/models -r your-realm \
        -s name=audience-mapping \
        -s protocol=openid-connect \
        -s protocolMapper=oidc-audience-mapper \
        -s config.\"included.client.audience\"="your-audience" \
        -s config.\"access.token.claim\"="true" \
        -s config.\"id.token.claim\"="false"
Share:
37,770

Related videos on Youtube

arkadiy kraportov
Author by

arkadiy kraportov

Updated on April 07, 2020

Comments

  • arkadiy kraportov
    arkadiy kraportov about 4 years

    What is the correct way to set the aud claim to avoid the error below?

    unable to verify the id token   {"error": "oidc: JWT claims invalid: invalid claims, 'aud' claim and 'client_id' do not match, aud=account, client_id=webapp"}

    I kinda worked around this error message by hardcoding aud claim to be the same as my client_id. Is there any better way?

    Here is my docker-compose.yml:

    version: '3'
services:
  keycloak-proxy:
    image: "keycloak/keycloak-gatekeeper"
    environment:
     - PROXY_LISTEN=0.0.0.0:3000
     - PROXY_DISCOVERY_URL=http://keycloak.example.com:8181/auth/realms/realmcom
     - PROXY_CLIENT_ID=webapp
     - PROXY_CLIENT_SECRET=0b57186c-e939-48ff-aa17-cfd3e361f65e
     - PROXY_UPSTREAM_URL=http://test-server:8000
    ports:
      - "8282:3000"
    command:
      - "--verbose"
      - "--enable-refresh-tokens=true"
      - "--enable-default-deny=true"
      - "--resources=uri=/*"
      - "--enable-session-cookies=true"
      - "--encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j"
  test-server:
    image: "test-server"
    • xxSwordy
      xxSwordy over 5 years
      Did you ever find a solution? I am facing the same problem and have no idea how to fix this
  • christopher clark
    christopher clark about 5 years
    I'm still receiving the same error, it looks like gatekeeper is still checking for client_id, even though I have confirmed that the token has the scope of the good-service.
  • popcorny
    popcorny almost 5 years
    Works for me. Actually, the steps can be simpler. Client Scopes are shared mappers and roles. Here we can just add a mapper for my client. 1. edit my client 2. open the mapper tab 3. Create Protocol Mapper 'my-app-audience'. The value is just the same as this reply.
  • martin_wun
    martin_wun over 2 years
    Thanks a lot, the solution worked fine for me as described and saved my day. :)
  • Stealth Rabbi
    Stealth Rabbi over 2 years
    When I add the mapper, my aud becomes a list of [account, my-custom-client], and the audience validation still fails.
  • Max R.
    Max R. about 2 years
    @StealthRabbi you need to remove the audience resolve in Client Scopes -> roles -> Mappers

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to redirect keyclock to application's page and get token
Flutter appauth Invalid parameter: redirect_uri
Authenticate flutter app with keycloak and openid_client
Keycloak adaptor for golang application
Keycloak "Unexpected error when handling authentication request to identity provider"
Spring Boot - KeyCloak directed to 403 forbidden
Keycloak Access Token vs UserInfo token?
Using spring security annotations with keycloak
Keycloak - using admin API to add client role to user
Restricting access to the Keycloak Admin Console