Description
Based on OAUth specifications and current Keycloak implementation for audience, we propose a solution for all OAuth flow 'resource' parameter to be readen ( if exists) and validated. 'resource' parameter value MUST be an absolute URI and MUST NOT include a fragment. For Token Exchange no change will be made due to "audience" request parameter.
If request parameter exists( can be multiple), audience value will be the request parameter. Otherwise, 'audience default value' will be added. 'audience default value' is optionally configured per realm. Default value empty ( no migration needed). Protocol Mappers ( with scope parameter) can enhance aud parameter ( current upstream functionality).
Discussion
No response
Motivation
We want to support JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens and Resource Indicators for OAuth 2.0.
Keycloak now for audience ( except Token Exchange) has the Protocol Mappers that can be requested with scope parameter ( add value only).
Details
No response
Description
Based on OAUth specifications and current Keycloak implementation for audience, we propose a solution for all OAuth flow 'resource' parameter to be readen ( if exists) and validated. 'resource' parameter value MUST be an absolute URI and MUST NOT include a fragment. For Token Exchange no change will be made due to "audience" request parameter.
If request parameter exists( can be multiple), audience value will be the request parameter. Otherwise, 'audience default value' will be added. 'audience default value' is optionally configured per realm. Default value empty ( no migration needed). Protocol Mappers ( with scope parameter) can enhance aud parameter ( current upstream functionality).
Discussion
No response
Motivation
We want to support JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens and Resource Indicators for OAuth 2.0.
Keycloak now for audience ( except Token Exchange) has the Protocol Mappers that can be requested with scope parameter ( add value only).
Details
No response