OIDC Authentication to Nextcloud fails after update (25.0.1)

We have configured OIDC authentication to nextcloud via Keycloak, working like charm in version 24.0.5. However, after updating to 25.0.1, we can’t acces to nextcloud anymore because it says that the Bearer Token was Incorrect.

The client used to autenticate is the same that we used in the previous version (we imported the client and checked it manually to be equals). The OIDC configuration is also the same.

We noticed some differences between the tokens that we were sending before and after the update.

Token payload before update:

{
“exp”: 1720159008,
“iat”: 1720158708,
“auth_time”: 1720158707,
“jti”: “bc25fbe4-154c-4098-ab76-a486e796d3fe”,
“iss”: “https://url/auth/realms/realm”,
“sub”: “0f387025-67bc-4f1c-a159-7b1507b5829a”,
“typ”: “Bearer”,
“azp”: “CLIENT-nextcloud”,
“nonce”: “e6afa3f3-fd6c-436a-9c69-f40a40bd60bd”,
“session_state”: “0317c3b3-1a6f-47f0-8e51-5059515fcc4e”,
“sid”: “a8fe6871-02b9-4547-bddf-3f2128c95f6b”,
“acr”: “1”,
“scope”: “openid email”,
“eid”: “87381”,
“email_verified”: false,
“groups”: [
“GROUP A”,
“GROUP B”,
“GROUP C”
],
“email”: “mail@examplemail.es
}

Token payload after update:

{
“exp”: 1720159008,
“iat”: 1720158708,
“jti”: “bc25fbe4-154c-4098-ab76-a486e796d3fe”,
“iss”: “https://url/auth/realms/realm”,
“typ”: “Bearer”,
“azp”: “CLIENT-nextcloud”,
“sid”: “a8fe6871-02b9-4547-bddf-3f2128c95f6b”,
“acr”: “1”,
“scope”: “openid email”,
“eid”: “87381”,
“email_verified”: false,
“groups”: [
“GROUP A”,
“GROUP B”,
“GROUP C”
],
“email”: “mail@examplemail.es
}

As you can see, the attributes auth_time, sub, nonce and session_state are not being informed after update.

Any suggestions?

Thanks in advance

This is mentioned in the release notes/upgrade docs!

Claims sub and auth_time have been moved to a new client scope named basic. Adding this client scope as default type to your client config should solve the issue and bring back the claims to your tokens.

Claims nonce and session_state should in most cases not be necessary. If yes, you can add token mappers to bring them back into your tokens.

You’re absolutely right!

Adding that basic scope solves the problem, now we have the keycloak updated and working like charm! We totally overlooked that point in the change docs…

Sorry for all the trouble and missundertandings.

Thanks again for your time.