How to modify existing claims in JWT from Keycloak for OIDC flow?
I'm generating JWTs for a service for authentication and we're using Keycloak as the OAuth server.
I've set up a realm R, a client C, and a user U. I setup a protocol mapper to include "C" in the "aud". I generated the JWTtoken for U and when I check the payload, I see "aud": ["C", "account"]. Which is great, I wanted C to be present. But I do not want "account" to be present in the "aud".
How do I configure this in keycloak? Similarly, the scope reads - "scope": "email profile test-client-rhs" and I wish to remove "email profile" from it. I've been googling around a lot and trying out different stuff in Keycloak but I can't get this to work somehow.
I generated the JWTtoken for U and when I check the payload, I see "aud": ["C", "account"]. Which is great, I wanted C to be present. But I do not want "account" to be present in the "aud".
Instead of an audience Mapper you can use a Hardcoded claim Mapper with:
Token Claim Nameset toaudClaim valueset toCAdd to access tokenset toON
this mapper will override the original claim "aud": "account" with "aud": "C"
Like so:
(Old Keycloak UI)
(For the NEW Keycloak UI)
- Go to the tab
Client Scopes - Click on the scope -dedicated (e.g., test-dedicated in my example)
- Click on
Configure a new mapper
- Select
Hardcoded claim, and then fill up - Click on
Save.
The client will be the client that you are using to authenticate against.
How do I configure this in keycloak? Similarly, the scope reads - "scope": "email profile test-client-rhs" and I wish to remove "email profile" from it.
For this you need to go to:
- The realm where the client is
- Go to clients and select the client
- Click on the tab "Client Scopes"
(For the Old Keycloak UI)
- Remove the scopes
emailandprofilefrom"Assigned Default Client Scopes"
like so:
(For the NEW Keycloak UI)
- change the scopes
emailandprofilefromDefaulttoOptional, Like so:
