Getting a "required audience is missing" when trying to access my Spring backend deployed on a K8s/Argocd server Getting a "required audience is missing" when trying to access my Spring backend deployed on a K8s/Argocd server kubernetes kubernetes

Getting a "required audience is missing" when trying to access my Spring backend deployed on a K8s/Argocd server


java spring kubernetes keycloak argocd

JWT tokens can have an optional "aud" property which indicates the intended audience of the token. The audience in your scenario is your Spring boot application, which means the token should be issued in regards to accessing your Spring boot application.

As part of the validation of the JWT token on your Spring boot application, if the "aud" property exists, its value will also gets checked to ensure the token is issued to be used by the application.

I guess the token generated for your login, doesn't contain proper/expected value for "aud" property. In such cases, you would probably need to configure your client on Keycloak.

You can see the properties in your token by pasting it at https://jwt.io/ and inspect the "aud" property.

A workaround to fix this could also be to disable the audience validation completely in your application. You can do this by adding the following property to your keycloak.json file:

{    ...    verify-token-audience: false}

The actual solution should be to investigate the way it's being generated and make it produce proper value. I recommend to check Audience Support in Keycloak documentation, explaining how they're being generated and can be configured in Keycloak.

Based on RFC-7519 JSON Web Token spec:

The "aud" (audience) claim identifies the recipients that the JWT isintended for. Each principal intended to process the JWT MUSTidentify itself with a value in the audience claim. If the principalprocessing the claim does not identify itself with a value in the"aud" claim when this claim is present, then the JWT MUST berejected. In the general case, the "aud" value is an array of case-sensitive strings, each containing a StringOrURI value. In thespecial case when the JWT has one audience, the "aud" value MAY be asingle case-sensitive string containing a StringOrURI value. Theinterpretation of audience values is generally application specific.Use of this claim is OPTIONAL.

java spring kubernetes keycloak argocd

Based on the error you're describing, it may be that your cluster has additional authorization configurations being injected. You probably want to check those and make sure you're not getting extra/unexpected configurations that aren't being handled.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last