Skip to content

fix(auth): disable audience validation for Keycloak JWT tokens#101

Merged
JanZachmann merged 1 commit intoomnect:mainfrom
JanZachmann:fix/jwt-audience-validation
Feb 18, 2026
Merged

fix(auth): disable audience validation for Keycloak JWT tokens#101
JanZachmann merged 1 commit intoomnect:mainfrom
JanZachmann:fix/jwt-audience-validation

Conversation

@JanZachmann
Copy link
Contributor

@JanZachmann JanZachmann commented Feb 18, 2026
edited
Loading

Summary

  • jsonwebtoken v9 Validation::new() enforces aud (audience) claim validation by default
  • Keycloak tokens set aud to the OIDC client ID, which the backend does not know
  • The previous jwt-simple library did not enforce audience
  • Disables aud validation to match prior behavior (same approach already used for iss)

Follow-up to #99 — signature verification now passes but audience validation was rejecting valid tokens with InvalidAudience.

@JanZachmann
fix(auth): disable audience validation for Keycloak JWT tokens
d882f79 
jsonwebtoken v9 Validation::new() enforces audience (aud) validation
by default. Keycloak tokens set aud to the OIDC client ID, which the
backend does not know. The previous jwt-simple library did not enforce
audience. Disable aud validation to match the prior behavior.

Signed-off-by: Jan Zachmann <50990105+JanZachmann@users.noreply.github.com>
@JanZachmann JanZachmann merged commit 7749a2a into omnect:main Feb 18, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JanZachmann

Comments