英文:
How to remove "account" from aud claim in KeyCloak?
问题
在最新的Keycloak版本中,我使用管理界面创建了一个新的客户端和用户,并直接评估了客户端范围。在生成的访问令牌中,我们可以看到:
"iss": "..."
"aud": "account"
"sub": "..."
我们可以通过添加一个新的映射器通过"
英文:
I created in the latest Keycloak version using the Admin UI a new client and a user and Evaluate the Client Scopes directly. In the generated access token we can see:
"iss": "..."
"aud": "account"
"sub": "..."
We can change the "aud" by adding a new mapper via "<realm>-dedicated" but we can't remove the "account" item. Why is this added and can we remove it?
答案1
得分: 6
The claim aud refers to the audience of the current token. In other words, aud represents the services that should accept the given token.
> Why is this added ...?
在Keycloak中,默认情况下,声明aud已经包含对客户端account的引用。这是因为默认情况下:
- 新创建的客户端具有未过滤的范围(即,具有所有角色的范围)
- 用户被分配了来自
account客户端的客户端角色,这使他们可以访问Keycloak的帐户控制台。
> ... 可以移除吗?
是的,关于第1点,如果您转到新的客户端,切换到“客户端范围”选项卡,点击“<client-id>-dedicated”范围,然后切换到“范围”选项卡,您将看到以下内容:
在那里,您可以关闭“完整范围允许”选项,然后通过使用“分配角色”菜单手动添加应显示在令牌上的角色。通过不包括与客户端account相关的任何角色,您(间接地)排除了aud声明对该客户端的任何引用。但请注意,对此客户端的更改将影响所有使用它进行身份验证的用户。
另一个选项是关于第2点,如果您转到用户,点击您的用户,然后切换到“角色映射”选项卡并取消选中“隐藏继承的角色”选项,您将看到以下内容:
正如您所看到的,对于新创建的用户,Keycloak分配了来自account客户端的客户端角色,其中包括manage-account-links、manage-account和view-profile等角色。您可以取消分配这些角色,这将间接地排除了aud声明中省略了对该用户的任何客户端的account引用。然而,这是不建议的,因为通常希望用户能够访问Keycloak帐户控制台。
依我看,如果您真的想排除account客户端的话,第一个选项是要选择的。
英文:
The claim aud refers to the audience of the current token. In other words, aud represents the services that should accept the given token.
> Why is this added ...?
In Keycloak, by default, the claim aud already contains a reference to the client account. This happens because by default:
- a newly created client comes with an unfiltered scope (i.e., has scope on all roles)
- users are assigned with client roles from the
accountclient, which provides access to the account console of Keycloak.
> ... can we remove it?
Yes, regarding point 1, if you go to your new client, switch to the tab Client Scopes, click on the scope <client-id>-dedicated, and then switch to the tab Scope you will see the following:
There you can switch off the Full scope allowed option, and then manually add the roles that should show up on the token (by using the Assign role menu). By not including any of the roles related to the client account, you are (indirectly) excluding any reference of that client on the aud claim. Bear in mind, however, that changes to this client will affect all the users using it to authenticate.
The other option is regarding point 2, if you go to users, click on your user, then switch to the tab Role Mapping and unselect the option Hide inherited roles, you will see the following:
As you can see to the newly created users, Keycloak assigns, among others, the client roles manage-account-links, manage-account, and view-profile. Those roles are client roles from the account client. You could unassign them from the user, which would indirectly exclude any reference of the account client from the aud claim on tokens omitted by any client to that user. This is inadvisable, since normally one wants their users to access the Keycloak account console.
IMO, the first option is the one to go if you really want to exclude the account from the audience.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论