Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Make sure that there is single audience allowed by default in JWT tokens sent to client authentication #38819

New issue
New issue
Closed
#38830
Closed
Make sure that there is single audience allowed by default in JWT tokens sent to client authentication#38819
#38830
Assignees
mposolda
Labels
area/oidcIndicates an issue on OIDC areakind/enhancementCategorizes a PR related to an enhancementpriority/importantMust be worked on very soonrelease/26.2.0team/core-clients
@mposolda

Description

@mposolda
mposolda
opened on Apr 10, 2025

Description

There are changes in the OIDC specification, which try to make sure that validation of the audience is more strict during the client authentication with JWT tokens. More context about this is in this issue: #38751 .

As a first for Keycloak 26.2 we would do:

  • Make sure that JWT client authentication allows only single audience being in the JWT token by default.
  • There would be single option at the server level, which will allow to have this check to be less strict and allow multiple audiences in the JWT token. But this option would be disabled by default
  • We will document that in the Keycloak 26.2 release notes and upgrading guide. With the note that option would be probably removed in Keycloak 27

Discussion

#38754 (It is the PR, but contains some discussion)

Motivation

No response

Details

No response

Metadata

Metadata

Assignees

Labels

area/oidcIndicates an issue on OIDC areakind/enhancementCategorizes a PR related to an enhancementpriority/importantMust be worked on very soonrelease/26.2.0team/core-clients

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions