Enforce single audience in access token

Hi everyone,

I would like to have your advice about this specific issue.

We have two resource servers that expose a set of resources that must be strictly isolated from each other (our concern is about privacy and pseudoanonymization).

My idea was to leverage Keycloak audience support and to identify each resource server with an audience. Then all clients should use two distinct tokens to interact separately with the two resource servers, each token containing just one of the two audiences.

I would like to enforce that policy in Keycloak so that if clients ask the release of a token with both audiences, the request is rejected by Keycloak.

Can that be achieved through configuration or alternatively customizing or extending Keycloak (i.e. implementing some SPI)?

There are other options you would advice that I didn’t considered?



I would suggest you to create two clients, one client per server resource in keycloak realm
For each client, you disable the option “Full Scope Allowed” (go to client/scope/ Scope Mappings menu for that) and select the roles to be generated in the token for this client.
Do the same for the second client/resource server.
Then use the claim azp present in the access token instead of aud claim in your backend service to know to the party to which the ID Token was issued.

you can test and evaluate the client scopes here: https://www.keycloak.org/docs/latest/server_admin/#_client_scopes_evaluate

1 Like

@bfall Thanks for your reply.
Your suggestion seems the better option for us and we are considering to implement it with the only difference that in our case the clients provide to the resource servers an access token and that we would use the “aud” claim of the token. The resource servers then would validate the token by identifying theirselves with the specified “aud” (we already use the Spring Boot Keycloak adapter and we can simply switch the “verify-token-audience” option to true).