python-keycloak icon indicating copy to clipboard operation
python-keycloak copied to clipboard

Published 20 hours ago verified publisher icon marcospereirampj

Token decode gives error 'Invalid audience'

Open saivisal1 opened this issue 4 years ago • 11 comments

I am trying to decode the token using token_info = keycloak_openid.decode_token(token['access_token'], key=KEYCLOAK_PUBLIC_KEY, options=options)

KEYCLOAK_PUBLIC_KEY -----BEGIN PUBLIC KEY-----\n xxxx xxxx \n-----END PUBLIC KEY-----

options {'exp': True, 'verify_signature': False, 'verify_aud': True}

Error `token_info = keycloak_openid.decode_token(token['access_token'], key=KEYCLOAK_PUBLIC_KEY, options=options)

Traceback (most recent call last): File "", line 1, in File "/venv/lib/python3.5/site-packages/keycloak/keycloak_openid.py", line 346, in decode_token audience=self.client_id, **kwargs) File "/venv/lib/python3.5/site-packages/jose/jwt.py", line 172, in decode options=defaults) File "/venv/lib/python3.5/site-packages/jose/jwt.py", line 495, in _validate_claims _validate_aud(claims, audience=audience) File "/venv/lib/python3.5/site-packages/jose/jwt.py", line 357, in _validate_aud raise JWTClaimsError('Invalid audience') jose.exceptions.JWTClaimsError: Invalid audience `

saivisal1 avatar Jun 03 '20 09:06 saivisal1

I hit this - it looks like there has been a change to KeyCloak recently, and it doesn't map the client ID into the auth field of the token by default any more. The solution for me was to add a mapper that maps the client ID into the audience claim (more here: https://stackoverflow.com/questions/53550321/keycloak-gatekeeper-aud-claim-and-client-id-do-not-match)

simonrankine avatar Jul 20 '20 14:07 simonrankine

I also faced similar issue today, I passed the audience with decode call

MohiuddinSumon avatar Aug 16 '20 19:08 MohiuddinSumon

@MohiuddinSumon would you have an example on own to provide the audience in the decode call ?

lucj avatar Jan 14 '21 17:01 lucj

@lucj what I finally ended up doing was something like this:

options = {"verify_signature": True, "verify_aud": False, "exp": True}
        return keycloak_instance.decode_token(given_token, key=given_key, options=options)

setting verify_aud false was sufficient for my case

MohiuddinSumon avatar Jan 17 '21 18:01 MohiuddinSumon

Thanks @MohiuddinSumon I'm using the same.

lucj avatar Jan 20 '21 09:01 lucj

same issue with latest keycloak

woprandi avatar Feb 23 '23 10:02 woprandi

same issue with latest keycloak

Have you managed to solve it?

0xf938Ac9BA avatar Apr 05 '23 09:04 0xf938Ac9BA

same issue with latest keycloak

Have you managed to solve it?

Yes few weeks ago :

I added a token mapper (with type Audience) to the dedicated scope of my client. Clients > Your client > Client scopes > your-client-dedicated > Add mapper > by configuration > Audience. Add a name of the mapper, select your client on the select box and enable "Add to access token". Your client should now be in the "aud" field of the access token

woprandi avatar Apr 05 '23 16:04 woprandi

Thank you!

0xf938Ac9BA avatar Apr 07 '23 08:04 0xf938Ac9BA