Skip to content

Align JwtClient authentication with latest OIDC spec updates #38751

New issue
New issue
Open
enhancement
Open
Align JwtClient authentication with latest OIDC spec updates#38751
enhancement
Labels
area/authenticationIndicates an issue on Authentication areaarea/oidcIndicates an issue on OIDC areakind/enhancementCategorizes a PR related to an enhancementpriority/importantMust be worked on very soonteam/core-clients
Milestone
26.5.0
@thomasdarimont

Description

@thomasdarimont
thomasdarimont
opened on Apr 8, 2025

Description

We need to adjust the audience validation in JWTClientAuthenticator and JWTClientSecretAuthenticator to remain with upcoming changes in the OIDC core specification with respect to the private_key_jwt client authentication mechanism.

Old: https://openid.net/specs/openid-connect-core-1_0-35.html#rfc.section.9

aud

REQUIRED. Audience. The aud (audience) Claim. Value that identifies the Authorization Server as an intended audience. The Authorization Server MUST verify that it is an intended audience for the token. 

The Audience SHOULD be the URL of the Authorization Server's Token Endpoint.

New: https://openid.net/specs/openid-connect-core-1_0-36.html#rfc.section.9

aud

REQUIRED. Audience. The aud (audience) Claim. Value that identifies the Authorization Server as the intended audience. The Authorization Server MUST verify that it is the sole audience for the token. 

The Audience value MUST be the OP's Issuer Identifier passed as a string, and not a single-element array.

Discussion

No response

Motivation

The current JWTClientAuthenticator, which is Keycloaks version of private_key_jwt client authentication, currently accepts the following audience values in the JWT assertion:

  • issuerUrl
  • tokenUrl
  • tokenIntrospectionUrl
  • parEndpointUrl
  • (ciba) backchannelAuthenticationUrl

As a related note the JWTClientSecretAuthenticator allows the following audience values in the JWT assertion:

  • issuerUrl
  • tokenUrl

According to the changed OIDC core specification, we must only allow the realm issuer URL in the audience claim of the JWT assertion.

Details

To remain backwards compatible with existing clients, we can should add a generic switch in JWTClientAuthenticator and JWTClientSecretAuthenticator to toggle the behavior for all jwt based client authentications. We should probably introduce a new base class like AbstractJwtClientAuthenticator to handle this.
If we need to allow client specific overrides, we might need to add an OIDC compatibility setting in the client config and respect it during JWT assertion audience validation.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/authenticationIndicates an issue on Authentication areaarea/oidcIndicates an issue on OIDC areakind/enhancementCategorizes a PR related to an enhancementpriority/importantMust be worked on very soonteam/core-clients

    Type

    enhancement

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions