Introducing new option DisableAllRefreshTokenValidation (default false)
to disable ALL validation on Refresh tokens.
In Keycloak server somewhere between v4.6-4.8, it was decided that
the contents of the "aud" claim in Refresh tokens to contain the
Keycloak Realm URL instead of the Keycloak ClientId.
This lead to an issue with this library that validates the "aud"
claim in Refresh tokens to contain the ClientId.
Setting this option to true will disable ALL validation of Refresh
tokens (but keep validation for ID/Access token).
As the application should not use the contents of the Refresh tokens,
and only send it back to the Keycloak server (which will validate it),
it should be safe to disable it.
This option overrides and can be used instead of
DisableRefreshTokenSignatureValidation.
Introducing new option
DisableAllRefreshTokenValidation
(default false) to disable ALL validation on Refresh tokens.In Keycloak server somewhere between v4.6-4.8, it was decided that the contents of the "aud" claim in Refresh tokens to contain the Keycloak Realm URL instead of the Keycloak ClientId. This lead to an issue with this library that validates the "aud" claim in Refresh tokens to contain the ClientId. Setting this option to true will disable ALL validation of Refresh tokens (but keep validation for ID/Access token). As the application should not use the contents of the Refresh tokens, and only send it back to the Keycloak server (which will validate it), it should be safe to disable it. This option overrides and can be used instead of
DisableRefreshTokenSignatureValidation
.