THREESCALE-15279: Add an "audience" protocol mapper to Keycloak integration#597
Open
jlledom wants to merge 1 commit into
Open
THREESCALE-15279: Add an "audience" protocol mapper to Keycloak integration#597jlledom wants to merge 1 commit into
jlledom wants to merge 1 commit into
Conversation
RHBK 26.6.2+ rejects token introspection when the calling client is not in the token's aud claim. Previously, Zync created OIDC clients without an audience mapper, so tokens only contained aud: "account". This caused introspection to fail with "Client '<client_id>' is not in the token audience". Add an oidc-audience-mapper protocol mapper to every client created or updated by Zync. The mapper injects the client's own ID into the aud claim of access tokens, satisfying RHBK's new validation requirement while leaving ID tokens unchanged. Assisted-by: Claude Code
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jira Issue:
https://redhat.atlassian.net/browse/THREESCALE-15279
Description:
As the issue describes, after a breaking change in a recent RHBK release, the token introspection feature stopped working. In order to fix it, we need to ensure the access token received from keycloak includes the client id in the
audfield.Keycloak provides a way to write on this field, which is installing a protocol mapper type
oidc-audiende-mapperin all clients.This PR modifies the Keycloak integration in Zync to add such mapper in the requests to the client registration service in Keycloak.
Verification steps:
oidc-audience-mapperfor client registrationoidc-audience-mapperto theAllowed Protocol Mapper Typespolicy for bothAnonymousandAuthenticatedclients{"active": false}then it's not working.