Set "iss" in JWT to Custom Value (Hardcoded Okay)

cmiles74 · April 24, 2023, 7:03pm

My application is authenticating to another application as a “backend” service via OAuth2. So far I have setup a new client in my realm that I will use to issue the access tokens for this service. The service has several requirements and I’ve managed to satisfy all of them except this one: they would like me to put the “client ID” they have issued my application in the “iss” claim of the token.

Keycloak is currently placing the URL for the realm in the “iss” claim. I tried adding a hard-coded claim for the “iss” claim with the client ID but that is being ignored by Keycloak.

Is there a way to specify the “iss” claim for a realm client such that it appears in the generated access tokens?

Thank you!

cmiles74 · April 24, 2023, 7:04pm

I did test with the access tokens and the error from this service looks to confirm that I do need to change the “iss” value, the error is “invalid_client”. I’m working with the Epic Systems EHR.

cmiles74 · April 26, 2023, 1:29pm

It looks like Keycloak is hard-coded to disallow overriding of some specific claims, “iss” is among these.

github.com

keycloak/keycloak/blob/main/services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAttributeMapperHelper.java#L107-L115


      
          tmpToken.put("jti", notAllowedInToken);
          tmpToken.put("typ", notAllowedInToken);
          tmpToken.put("iat", notAllowedInToken);
          tmpToken.put("exp", notAllowedInToken);
          tmpToken.put("iss", notAllowedInToken);
          tmpToken.put("scope", notAllowedInToken);
          tmpToken.put(IDToken.NONCE, notAllowedInToken);
          tmpToken.put(IDToken.AUTH_TIME, notAllowedInToken);
          tmpToken.put(IDToken.SESSION_STATE, notAllowedInToken);

Removing line 111 in the file referenced above does resolve this issue for me. I have opened an issue with the project to try and figure out how best to proceed.

github.com/keycloak/keycloak

Backend OAuth2 Flow Broken, the "iss" Claim is Hard-Coded to the Keycloak URL

opened 07:14PM - 25 Apr 23 UTC

cmiles74

area/oidc kind/feature status/triage team/core

### Before reporting an issue - [X] I have searched existing issues - [X] I hav…e reproduced the issue with the latest release ### Area oidc ### Describe the bug Keycloak contains a hard-coded rule that will not let the "iss" claim be set to a custom value in an "access token". ### Version 20.0.5 ### Expected behavior This can be demonstrated by adding a hard-coded claim to a client scope, when you attempt to fetch an access token for that client an error will be written to the log file. If we had a Keycloak instance configured with such a client we might issue the following request: ```shell curl https://my-keycloak-instance/auth/realms/myrealm/protocol/openid-connect/token \ -H 'Cache-Control: nocache' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'grant_type=client_credentials&client_id=CLIENT_ID&client_secret=SECRET_GOES_HERE' ``` I would expect the "iss" value in the token to be the values specified in the hard-coded claim. ### Actual behavior Instead the following message would appears in the log file... > Claim "iss" is non-modifiable in IDToken. Ignoring the assignment for mapper 'hardcoded-iss-mapper'. ...And the returned JWT token would have the URL for the Keycloak instance in the "iss" claim. ### How to Reproduce? Add a hard-coded claim to a client scope that sets the "iss" value, then request an access token. ### Anything else? While having the URL for Keycloak in the "iss" claim makes a lot of sense for a variety of use-cases, I would argue that it is not the right thing to do for _every_ use case. It is a reasonable default but we need to enable people to provide their own value when that is what makes sense for their situation. In my own experience, I need to perform backend authentication to a third party service. This third party has a clear list of what they need to see in the claims of the token, including a specific value in the "iss" claim. While I don't like this requirement I am powerless to change the mind of this third party (who looms large in the hospital-wide electronic health record space). By way of filling in some history on this issue, it was originally change in https://github.com/keycloak/keycloak/pull/8680, this PR was addressing issue 14309. https://issues.redhat.com/browse/KEYCLOAK-14309?attachmentViewMode=list I have patched my Keycloak instance in order to verify that this was the root cause, the patch is very short. I removed line 111 from the `services/src/main/java/org/keycloak/protocol/oidc/mappers/OIDCAttributeMapperHelper.java` file. I realize that this may not be the best way to resolve this issue. I would be glad to work on this further and submit a PR, please let me know how I should best proceed. Thank you for your time! 🙂

Topic		Replies	Views
Token Validation mismatch between iss and realm url Configuring the server	1	1497	September 18, 2022
Issuer claim validation Securing applications authentication	4	1648	October 26, 2022
Issue with application in docker settings Securing applications authentication , oidc	1	388	February 9, 2024
I have an error invalid token wrong iss Securing applications authentication	0	529	December 8, 2023
Securing API with issues on a deployed instance Configuring the server authentication	0	336	December 18, 2020

Set "iss" in JWT to Custom Value (Hardcoded Okay)

Related Topics