Keycloak-gatekeeper:"aud"声明和"client_id"不匹配 [英] Keycloak-gatekeeper: 'aud' claim and 'client_id' do not match

问题描述

设置aud声明以避免以下错误的正确方法是什么?

What is the correct way to set the aud claim to avoid the error below?

unable to verify the id token   {"error": "oidc: JWT claims invalid: invalid claims, 'aud' claim and 'client_id' do not match, aud=account, client_id=webapp"}

我通过硬编码aud声称与我的client_id相同来解决此错误消息.有什么更好的方法吗?

I kinda worked around this error message by hardcoding aud claim to be the same as my client_id. Is there any better way?

这是我的docker-compose.yml:

version: '3'
services:
  keycloak-proxy:
    image: "keycloak/keycloak-gatekeeper"
    environment:
     - PROXY_LISTEN=0.0.0.0:3000
     - PROXY_DISCOVERY_URL=http://keycloak.example.com:8181/auth/realms/realmcom
     - PROXY_CLIENT_ID=webapp
     - PROXY_CLIENT_SECRET=0b57186c-e939-48ff-aa17-cfd3e361f65e
     - PROXY_UPSTREAM_URL=http://test-server:8000
    ports:
      - "8282:3000"
    command:
      - "--verbose"
      - "--enable-refresh-tokens=true"
      - "--enable-default-deny=true"
      - "--resources=uri=/*"
      - "--enable-session-cookies=true"
      - "--encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j"
  test-server:
    image: "test-server"

推荐答案

在最新的4.3.6版密钥斗篷中，客户端ID显然不再自动添加到访问令牌的受众字段"aud"中. 因此，即使登录成功，客户端也会拒绝用户. 要解决此问题，您需要为客户配置受众群体(比较文档[2]).

With recent keycloak version 4.6.0 the client id is apparently no longer automatically added to the audience field 'aud' of the access token. Therefore even though the login succeeds the client rejects the user. To fix this you need to configure the audience for your clients (compare doc [2]).

• 添加领域或配置现有域
• 添加客户端我的应用"或使用现有的
• 转到新添加的客户范围"菜单[1]
  • 添加客户范围优质服务"
  • 在良好服务"转到映射器"选项卡的设置中
    • 创建协议映射器"my-app-audience"
      • 名称:my-app-audience
      • 选择映射器类型:受众
      • 包含的客户对象:我的应用
      • 添加访问令牌:打开
      • Add realm or configure existing
      • Add client my-app or use existing
      • Goto to the newly added "Client Scopes" menu [1]
        • Add Client scope 'good-service'
        • Within the settings of the 'good-service' goto Mappers tab
          • Create Protocol Mapper 'my-app-audience'
            • Name: my-app-audience
            • Choose Mapper type: Audience
            • Included Client Audience: my-app
            • Add to access token: on
            • 我的应用程序设置中的客户范围"标签
            • 将可用的客户范围优质服务"添加到已分配的默认客户范围

            如果您有多个客户端，请对其他客户端也重复上述步骤，并添加良好服务范围. 其背后的目的是隔离客户端访问.颁发的访问令牌仅对目标受众有效. Keycloak的文档[1,2]中对此进行了详细说明.

            If you have more than one client repeat the steps for the other clients as well and add the good-service scope. The intention behind this is to isolate client access. The issued access token will only be valid for the intended audience. This is thoroughly described in Keycloak's documentation [1,2].

            • [1] https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/clients/client-scopes.adoc
            • [2] https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/clients/oidc/audience.adoc
            • [1] https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/clients/client-scopes.adoc
            • [2] https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/clients/oidc/audience.adoc
            • [1] https://github.com/keycloak/keycloak-documentation/blob/f490e1fba7445542c2db0b4202647330ddcdae53/server_admin/topics/clients/oidc/audience.adoc
            • [2] https://github.com/keycloak/keycloak-documentation/blob/5e340356e76a8ef917ef3bfc2e548915f527d093/server_admin/topics/clients/client-scopes.adoc
            • [1] https://github.com/keycloak/keycloak-documentation/blob/f490e1fba7445542c2db0b4202647330ddcdae53/server_admin/topics/clients/oidc/audience.adoc
            • [2] https://github.com/keycloak/keycloak-documentation/blob/5e340356e76a8ef917ef3bfc2e548915f527d093/server_admin/topics/clients/client-scopes.adoc

            这篇关于Keycloak-gatekeeper:"aud"声明和"client_id"不匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！