JWTClaimsError at /keycloak/login-complete about django-keycloak HOT 9 CLOSED

Same issue with keycloak 9.0.2. Works fine as long as I use the "account" client.

Exploration revealed that the error was happening in jose.jwt.py::

     if audience not in audience_claims:
            raise JWTClaimsError('Invalid audience')

At this point audience = '<my_client_id>', audience_claims = ['account',]

audience is being set here In keycloak.openid_connect.py, the audience is defaulting to the name of the client::

     audience=kwargs.pop('audience', None) or self._client_id

However I could not find where the audience_claim was being set. After a lot of experimentation, it turns out that the answer is to change the Scope setting of the client. In Client, Scopes make sure that Full Scope Allowed is OFF

now audience = '<my_client_id>'. and audience_claims = [ '<my_client_id>',] and you will no longer get an error.

from django-keycloak.

Thank you @phoebebright
You saved my day.

from django-keycloak.

Today I dived in the topic and it seems that some is changed around Audience handling after version 3.4

Please check the Keycloak docs on how to configure audience mapping: https://www.keycloak.org/docs/4.8/server_admin/#_audience

I was able to reproduce your issue in Keycloak 4.8.3 and fixing it by creating a audience mapper for the client.

from django-keycloak.

I faced the same issue while using keycloak v18.0 and the only valid solution was to Configure audience in Keycloak here https://stackoverflow.com/a/53627747/2995886

from django-keycloak.

An observation after playing around more. If I try using PyCharm to breakpoint into set_session_state_cookie_ in BaseKeycloakMiddleware, it magically fixes itself and my page loads fine to the Django app base url (http://localhost:8000/).

:|

So a timing issue somewhere?

from django-keycloak.

So, an update on my trials. At some point it was trying to validate the audience using a claims object with an aud of 'account'. I got it to work by removing the roles auto assigned by Keycloak for the default 'account' client (manage-account, view-profile). In my use case, those will not be used, so no real worries.

From a learning perspective, can you explain the exception relative to an ootb Keycloak setup? Seems like something that should be addressed in the django-keycloak module still.

Thanks for the otherwise great library! I am Keycloak enabled in <50 lines of "code".

from django-keycloak.

Hi @cguethle, I had the same case once but that was with a newer version of Keycloak (probably 4.5). It seems that Keycloak returns a JWT for the account client/audience. Which is a bit weird if you ask me since you explicitly request a token for the client configured in your Django app. Unfortunately I never dug deeper in the issue since I switched to a lower version (3.4) of Keycloak because that version is the base for the commercially supported Red Hat (SSO).

Which version of Keycloak do you use?

from django-keycloak.

I am using the latest version, so this makes sense. I will look into the audience mapper more. Thanks for the quick resolution.

from django-keycloak.

@phoebebright thanks a lot you're a life saver, i used keycloak 9.0.0

from django-keycloak.