Audience validation failed with Keycloak 8.x in Owin.Security.Keycloak .Net library

When I use this library (link) along with Keycloak 8.x it fails due to audience validation error. It redirects to Keycloak login page successfully, but after entering credentials, it raises following error:
IDX10214: Audience validation failed. Audiences: 'account'. Did not match: validationParameters.ValidAudience: 'null' or validationParameters.ValidAudiences: 'null, aspnet'.
It seems that this problem does not occur in Keycloak older than 4.x, because I could run it on Keycloak 4.3 without any problem. But on newer versions is always raises this error. Do you have any idea how to solve this problem?

The newer versions of Keycloak server has changed how the audience claim (“aud”) is set in the access token. The library (Owin.Security.Keycloak) assumes that the Keycloak Client ID is in the “aud” claim, which no longer is the case by default.
One way to fix it is in Keycloak admin UI, add a mapper in to the Keycloak Client that’s being used.

  • Name: Audience
  • Mapper type: Audience
  • Included Client Audience: [Client ID]

Also, make sure the .NET library is configured with option
DisableAllRefreshTokenValidation = true
which is required for newer Keycloak server versions (validation of refresh token is done on the server side anyways).

For the record: https://stackoverflow.com/questions/53550321/keycloak-gatekeeper-aud-claim-and-client-id-do-not-match

1 Like

Thanks @jangaraj :pray: