The newer versions of Keycloak server has changed how the audience claim (“aud”) is set in the access token. The library (Owin.Security.Keycloak) assumes that the Keycloak Client ID is in the “aud” claim, which no longer is the case by default.
One way to fix it is in Keycloak admin UI, add a mapper in to the Keycloak Client that’s being used.
- Name: Audience
- Mapper type: Audience
- Included Client Audience: [Client ID]
Also, make sure the .NET library is configured with option
DisableAllRefreshTokenValidation = true
which is required for newer Keycloak server versions (validation of refresh token is done on the server side anyways).