highbyte
commented
5 years ago @mattmorg55 Hi, is it possible to have this merged into the dev branch? It enables option for compatibility with Keycloak server 4.6-4.8.
Closed highbyte closed 5 years ago
highbyte
commented
5 years ago @mattmorg55 Hi, is it possible to have this merged into the dev branch? It enables option for compatibility with Keycloak server 4.6-4.8.
highbyte
commented
5 years ago @mattmorg55 New version 3.0.5 is built and published on nuget.org
Introducing new option
DisableAllRefreshTokenValidation(default false) to disable ALL validation on Refresh tokens.In Keycloak server somewhere between v4.6-4.8, it was decided that the contents of the "aud" claim in Refresh tokens to contain the Keycloak Realm URL instead of the Keycloak ClientId. This lead to an issue with this library that validates the "aud" claim in Refresh tokens to contain the ClientId. Setting this option to true will disable ALL validation of Refresh tokens (but keep validation for ID/Access token). As the application should not use the contents of the Refresh tokens, and only send it back to the Keycloak server (which will validate it), it should be safe to disable it. This option overrides and can be used instead of
DisableRefreshTokenSignatureValidation.