Authentication Failure with OIDC Client After Keycloak Upgrade and Missing "sub" Claim

umut123456 · September 20, 2024, 12:08pm

Hello,

I recently upgraded my Keycloak instance to a newer version, and after the upgrade, I’m experiencing an authentication failure with my OIDC client. Upon checking the JWT token, I noticed that the subject (“sub”) claim is missing.

My questions are:

Is the missing “sub” claim the reason for the failed authentication?
Is there any way to handle authentication without the “sub” claim?

dasniko · September 20, 2024, 12:14pm

No, as you actually have a token, the user is already authenticated succesfully. If your application can‘t handle it, it‘s not related to the authentication itself.

Most likely during the upgrade, your client was not configured to use the new „basic“ client scope as default. The „sub“ claim was moved to this scope. Add it as a default scope to your client config and you are good to go.

cffranco94 · October 11, 2024, 7:16pm

Hello @dasniko,

I already have the basic claim in the client, but still having issues with the sub claim. The authorization is successful, but the token exchange fails. Any ideas?

Thanks in advance

Topic		Replies	Views
Keycloak 15.0.2 - Sub claim replacement fails with Invalid JWT when attribute-mapper but works with script-mapper. Why? Getting advice authentication , identity-brokering	0	857	March 3, 2022
Map "sub" to different claim for openid-userinfo Configuring the server admin-console , oidc	1	368	May 14, 2024
JWT token sub value in OIDC client credentials flow Getting advice	0	724	January 24, 2020
Resource_access claim missing from userinfo - until I change the name? Getting advice oidc	4	8795	August 5, 2020
OIDC: How can I configure the authentication process to use the 'sub' claim from the ID token?	0	17	December 3, 2024

Authentication Failure with OIDC Client After Keycloak Upgrade and Missing "sub" Claim

Related topics