Reputation:
Configure Keycloak to include an at_hash claim in the id token
I'm currently using Keycloak 9.0.0. When authenticating using the code flow and exchanging this code, I'm receiving an id token without the at_hash claim.
How do I configure Keycloak to include an at_hash claim in the id token?
Background:
I'm using a "classic" server side rendered (SSR) program, a confidential client.
I'm sending requests to my local http api. But I also have an Angular client. The SSR is a Go programm using github.com/coreos/go-oidc.
Rendered pages that require authentication redirect the visitor to keycloak and back via the redirect_uri.
Since the visitor is logged in its id token is present in the session and I also pass the access token. However the id token has no at_hash claim and thus access token validation fails.
I also have a mobile web version of this site, in Angular and it sends a bearer access token once logged in. This app uses the code flow + pcke.
Both should be able to send authenticated requests, but since I'm using pretty much the only oidc client library for Go available, it requires an at_hash claim being present in the id token to be able to verify access tokens. The package currently has no support for the introspection endpoint.
Both id token and access token are returned from the IDP. But neither has an at_hash claim.
Upvotes: 2
Views: 1629
Answers (1)
Related Questions
- Login to Keycloak using API
- How do I validate an access token using the at_hash claim of an id token?
- Keycloak user authorization openid-protocol Rest API
- Keycloak for IDM
- Keycloak with OpenIdConnect external identityprovider
- Custom Authentication using Keycloak
- Keycloak login interceptor/filter
- Keycloak OpenID Connect
- How can I force Keycloak to use an Authorization header when connecting to an identity provider's token endpoint?
- Creating and validating at_hash with salt