IDX10206: Unable to validate audience. The 'audiences' parameter is empty

[jeanyves7]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

When trying to validate the token issued from keycloak in the frontend and sent in the authorization header to the backend to be validated, the request is failing with the following message:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10206: Unable to validate audience. The 'audiences' parameter is empty.
at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
...

Below is an extract of the code used:

Expected Behavior

The code should be able to validate the token.

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

No response

Anything else?

No response

[blowdart]

Lack of an audience token is, frankly, weird. Is there an aud claim in the JWT?

[jeanyves7]

i sincerely don't know if we have it or no

[blowdart]

If you capture the JWT (fiddler, or just console.writeline/logging in, maybe, OnMessageReceived ) you'll see it, in the form of "aud" : "something", it's not encrypted or anything.

Technically you can have a jwt without it, it's just an odd thing, because you want scoped tokens.

Hi @jeanyves7. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[jeanyves7]

If you capture the JWT (fiddler, or just console.writeline/logging in, maybe, OnMessageReceived ) you'll see it, in the form of "aud" : "something", it's not encrypted or anything.

Technically you can have a jwt without it, it's just an odd thing, because you want scoped tokens.

Thank you I will try it and see what is happening

[jeanyves7]

If you capture the JWT (fiddler, or just console.writeline/logging in, maybe, OnMessageReceived ) you'll see it, in the form of "aud" : "something", it's not encrypted or anything.

Technically you can have a jwt without it, it's just an odd thing, because you want scoped tokens.

Thank you for your feedback after debugging and parsing the generated token, I found out that keycloak is not including the audience in the "aud" field you need to manually specify in keycloak what audience are added to the token

[blowdart]

Ah wonderful :) Technically it's within the spec, practically everything will expect an audience, otherwise you get a token that would be usable everywhere. I'm glad you figured it out.