Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-767

OpenID Connect invalid ID Token generation



    • Bug
    • Status: Closed
    • Major
    • Resolution: Done
    • 1.0.1.Final
    • 1.2.0.Beta1
    • None
    • None


      According to the basic client implementation, a client must validate the ID Token (http://openid.net/specs/openid-connect-basic-1_0-23.html#id_token) received from the server.

      The validation:

      The client MUST validate the ID Token in the Token Endpoint Response. To do this, the Client can split the id_token at the period (".") characters, take the second segment, and base64url decode it to obtain a JSON object containing the ID Token claims, which MUST be validated as follows:

      • The Client MUST validate that the iss (issuer) Claim is valid for the Token Endpoint that the id_token was received from.
      • The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the client.
      • The current time MUST be less than the value of the exp Claim (possibly allowing for some small leeway to account for clock skew).
      • The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces must be stored to prevent attacks. The acceptable range is Client specific.
      • If the acr Claim was requested, the Client SHOULD check that the asserted Claim Value is appropriate. The meaning and processing of acr Claim Values is out of scope for this specification.
      • If the auth_time Claim was requested, the Client SHOULD check the value and request re-authentication if it determines too much time has elapsed since the last user authentication.

      More at: http://openid.net/specs/openid-connect-basic-1_0-23.html#id.token.validation

      This is a sample ID Token from Keycloak:


      Keycloak is returning at least 2 wrong values:

      • iss is returning the Realm name
      • aud is returning the Realm name




            Unassigned Unassigned
            iperdomo_jira Iván Perdomo (Inactive)
            0 Vote for this issue
            2 Start watching this issue