Audience validation failed with Keycloak 8.x

[mohammadmjn]

When I use this library along with Keycloak 8.x it fails due to audience validation error. It redirects to Keycloak login page successfully, but after entering credentials, it raises following error: IDX10214: Audience validation failed. Audiences: 'account'. Did not match: validationParameters.ValidAudience: 'null' or validationParameters.ValidAudiences: 'null, aspnet'. It seems that this problem does not occur in Keycloak older than 4.x, because I could run it on Keycloak 4.3 without any problem. But on newer versions is always raises this error!

[highbyte]

The newer versions of Keycloak server has changed how the audience claim ("aud") is set in the access token. The library assumes that the Keycloak Client ID is in the "aud" claim, which no longer is the case by default.

One way to fix it is in Keycloak admin UI, add a mapper in to the Keycloak Client that's being used.

• Name: Audience
• Mapper type: Audience
• Included Client Audience: [Client ID]

Also, make sure the .NET library is configured with option DisableAllRefreshTokenValidation = true which is required for newer Keycloak server versions (validation of refresh token is done on the server side anyways).

[mohammadmjn]

@highbyte Thanks. It works now. By the way, I have 2 other questions about single sign-out. How to add log out to my ASP.Net About page after successful login using this library. Another question is that when I kill the active session of logged in user from keycloak admin console or log out from Keycloak account page of the corresponding user in another tab of my browser, and after that reload About page it remains active in ASP.Net app. Actually the App does not aware of the log out action in other tabs.

[highbyte]

To logout, use standard ASP.NET OWIN mechanism in a MVC Controller action HttpContext.GetOwinContext().Authentication.SignOut(); This will remove the ASP.NET auth cookie, as well as log out from the Keycloak session. If you've defined the PostLogoutRedirectUrl option, it will redirect there. Otherwise to the root of the application.

If you logout from the Keycloak session outside of your application, the ASP.NET auth cookie will continue to keep your application "logged in" until the Access Token has expired (by default 1 min). The Access Token Lifespan is defined in Keycloak Realm Settings -> Tokens. If you have multiple applications that uses Keycloak, make sure to expose a logout endpoint in each application, and visit all of them (chain of redirects).

[mohammadmjn]

@highbyte Thanks. Could you please provide more details about your suggestion of chain of redirects. I have multiple applications including Java, PHP and ASP.NET which use Keycloak as authentication server. All these applications use the same realm. When I log in from one of these applications, all other apps are aware of the user logged in. And when I log out from one of them, all apps are aware of destroyed session except ASP.NET app that utilizes this library (Owin.Security.Keycloak). I mean when I log out from one of the apps (e.g. Java app), all other Java and PHP apps redirect to Keycloak login page after reload their protected page, but ASP.NET app remains active and when I reload About page it continues showing user info taken from token (using ClaimsPrincipal).