Open m1h43l opened 1 year ago
Just adding @m1h43l queries from public slack channel, which lead to this issue:
Helidon 2.5.5 and Keycloak 20 : I am trying to develop a micro service with Heldion which is secured with Keycloak 20. I am using the helidon-microprofile-oidc library and annotated the resource with Authenticated . So far so good. Now I am getting :
2023.01.10 11:29:46 SEVERE io.helidon.security.providers.oidc.TenantAuthenticationHandler Thread[helidon-client-0,5,security-thread-pool]: Fatal issues found:
FATAL: Audience must contain [http://localhost:8181/], yet it is: Optional[[my-realm, master-realm, account]] at io.helidon.security.jwt.Jwt@218aec4b
The aud claim in the JWT is really
"aud": [
"my-realm",
"master-realm",
"account"
],
How do I set the audience either in Helidon (oidc configuration) or in Keycloak correctly?
Thanks in advance.
Mihael
Daniel Kec:
Custom audience should help:
./kcadm.sh create -x "client-scopes" -r ${REALM_NAME} -s name=my-jwt-scope -s protocol=openid-connect
CUSTOM_JWT_AUDIENCE_SCOPE_ID=$(./kcadm.sh get client-scopes --fields id,name -r ${REALM_NAME} \
| jq -r '.[] | select(.name=="my-jwt-scope").id')
./kcadm.sh create client-scopes/$CUSTOM_JWT_AUDIENCE_SCOPE_ID/protocol-mappers/models -r ${REALM_NAME} -f - << 'EOF'
{
"protocol": "openid-connect",
"name": "my-custom-audience",
"protocolMapper": "oidc-audience-mapper",
"config": {
"access.token.claim": "true",
"id.token.claim": "true",
"included.client.audience": "",
"included.custom.audience": "http://localhost:8181/"
}
}
EOF
Some identity provider don't specify a single client/application in the audience ("aud") claim but all clients the user has access to. This results in an array of values in the aud claim. This makes sense in some cases but Heldion doesn't support this as Helidon expects a single value.
In the case of a array of values in the "aud" claim it would be great if Helidon would check if one of the values in the aud claim equals the configured audience in the Helidon configuration.
This feature request is not specific to any Heldion version or platform.