Comments (9)
Same issue with keycloak 9.0.2. Works fine as long as I use the "account" client.
Exploration revealed that the error was happening in jose.jwt.py::
if audience not in audience_claims:
raise JWTClaimsError('Invalid audience')
At this point audience = '<my_client_id>', audience_claims = ['account',]
audience is being set here In keycloak.openid_connect.py, the audience is defaulting to the name of the client::
audience=kwargs.pop('audience', None) or self._client_id
However I could not find where the audience_claim was being set. After a lot of experimentation, it turns out that the answer is to change the Scope setting of the client. In Client, Scopes make sure that Full Scope Allowed is OFF
now audience = '<my_client_id>'. and audience_claims = [ '<my_client_id>',] and you will no longer get an error.
from django-keycloak.
Thank you @phoebebright
You saved my day.
from django-keycloak.
Today I dived in the topic and it seems that some is changed around Audience handling after version 3.4
Please check the Keycloak docs on how to configure audience mapping: https://www.keycloak.org/docs/4.8/server_admin/#_audience
I was able to reproduce your issue in Keycloak 4.8.3 and fixing it by creating a audience mapper for the client.
from django-keycloak.
I faced the same issue while using keycloak v18.0 and the only valid solution was to Configure audience in Keycloak here https://stackoverflow.com/a/53627747/2995886
from django-keycloak.
An observation after playing around more. If I try using PyCharm to breakpoint into set_session_state_cookie_
in BaseKeycloakMiddleware
, it magically fixes itself and my page loads fine to the Django app base url (http://localhost:8000/).
:|
So a timing issue somewhere?
from django-keycloak.
So, an update on my trials. At some point it was trying to validate the audience using a claims object with an aud of 'account'. I got it to work by removing the roles auto assigned by Keycloak for the default 'account' client (manage-account, view-profile). In my use case, those will not be used, so no real worries.
From a learning perspective, can you explain the exception relative to an ootb Keycloak setup? Seems like something that should be addressed in the django-keycloak module still.
Thanks for the otherwise great library! I am Keycloak enabled in <50 lines of "code".
from django-keycloak.
Hi @cguethle, I had the same case once but that was with a newer version of Keycloak (probably 4.5). It seems that Keycloak returns a JWT for the account
client/audience. Which is a bit weird if you ask me since you explicitly request a token for the client configured in your Django app. Unfortunately I never dug deeper in the issue since I switched to a lower version (3.4) of Keycloak because that version is the base for the commercially supported Red Hat (SSO).
Which version of Keycloak do you use?
from django-keycloak.
I am using the latest version, so this makes sense. I will look into the audience mapper more. Thanks for the quick resolution.
from django-keycloak.
@phoebebright thanks a lot you're a life saver, i used keycloak 9.0.0
from django-keycloak.
Related Issues (20)
- ModuleNotFoundError: No module named 'factory' HOT 1
- ERROR: unsatisfiable constraints: python-dev (missing): HOT 1
- Unable to refresh OIDC .well-known or certificates HOT 2
- Forbidden for my realm HOT 2
- Django admin not working when AUTHENTICATION_BACKENDS not set properly HOT 2
- Compatible with Django and Python version
- Project status? HOT 2
- Keycloak user creation Error
- No access_token provided to compare against at_hash claim. HOT 13
- Bad Request For Permission Synchronisation HOT 2
- Migrating Passwords From Keycloak To Django
- AttributeError at /keycloak/login 'NoneType' object has no attribute 'client' HOT 1
- Changing the LOGIN_REDIRECT_URL to different page
- Access token not decoded within token object
- KeyError thrown on refresh_token missing in response token
- Support for the current version of UMA
- Is it safe to use this library in any environment?, particularly production? HOT 9
- Issue while Migrating from Django Auth to Keycloak
- AUTHENTICATION_BACKENDS does not allow to login with super user HOT 1
- ConnectionError at /admin/django_keycloak/realm/
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-keycloak.