New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWTClaimsError at /keycloak/login-complete #18
Comments
An observation after playing around more. If I try using PyCharm to breakpoint into :| So a timing issue somewhere? |
So, an update on my trials. At some point it was trying to validate the audience using a claims object with an aud of 'account'. I got it to work by removing the roles auto assigned by Keycloak for the default 'account' client (manage-account, view-profile). In my use case, those will not be used, so no real worries. From a learning perspective, can you explain the exception relative to an ootb Keycloak setup? Seems like something that should be addressed in the django-keycloak module still. Thanks for the otherwise great library! I am Keycloak enabled in <50 lines of "code". |
Hi @cguethle, I had the same case once but that was with a newer version of Keycloak (probably 4.5). It seems that Keycloak returns a JWT for the Which version of Keycloak do you use? |
Today I dived in the topic and it seems that some is changed around Audience handling after version 3.4 Please check the Keycloak docs on how to configure audience mapping: https://www.keycloak.org/docs/4.8/server_admin/#_audience I was able to reproduce your issue in Keycloak 4.8.3 and fixing it by creating a audience mapper for the client. |
I am using the latest version, so this makes sense. I will look into the audience mapper more. Thanks for the quick resolution. |
Same issue with keycloak 9.0.2. Works fine as long as I use the "account" client. Exploration revealed that the error was happening in jose.jwt.py::
At this point audience = '<my_client_id>', audience_claims = ['account',] audience is being set here In keycloak.openid_connect.py, the audience is defaulting to the name of the client::
However I could not find where the audience_claim was being set. After a lot of experimentation, it turns out that the answer is to change the Scope setting of the client. In Client, Scopes make sure that Full Scope Allowed is OFF now audience = '<my_client_id>'. and audience_claims = [ '<my_client_id>',] and you will no longer get an error. |
Thank you @phoebebright |
@phoebebright thanks a lot you're a life saver, i used keycloak 9.0.0 |
I faced the same issue while using keycloak v18.0 and the only valid solution was to Configure audience in Keycloak here https://stackoverflow.com/a/53627747/2995886 |
Attempted to use your module for my Django project and am getting the following error.
Latest Keycloak running at localhost:8080, Django server running at localhost:8000. The redirect to the Keycloak login works fine, this error happens after logging in and getting redirected back to Django. Of note, a Django user gets created for the matching keycloak user.
I have followed your instructions in the default cases, nothing fancy going on. Is there something about my Realm or Client setup that has to be special or that I may have gotten wrong?
Disclaimer: I have zero real OpenID/Keycloak experience. So... Yeah. :)
Thanks!
Exception
Request Method: GET Request URL: http://localhost:8000/keycloak/login-complete?state=68824b78-8d83-4a3c-9003-e6e81c3af2d5&session_state=fa63ed5b-dc3e-4177-9ca4-6c223d10344d&code=cec9d97e-1b3c-4acf-816b-96f26f55dd7c.fa63ed5b-dc3e-4177-9ca4-6c223d10344d.0a6d8070-5c23-43eb-a104-b6205d9cd18b Django Version: 2.0.4 Exception Type: JWTClaimsError Exception Value: Invalid audience Exception Location: /Users/../testv/lib/python3.6/site-packages/jose/jwt.py in _validate_aud, line 338 Python Executable: /Users/../testv/bin/python Python Version: 3.6.4
The text was updated successfully, but these errors were encountered: