+
Skip to content

FAPI 2.0 Security Profile Final - only accept its issuer identifier value as a string in the aud claim received in client authentication assertions #41119

New issue
New issue
Closed
#41133
Closed
FAPI 2.0 Security Profile Final - only accept its issuer identifier value as a string in the aud claim received in client authentication assertions#41119
#41133
Assignees
tnorimat
Labels
area/oidcIndicates an issue on OIDC areakind/enhancementCategorizes a PR related to an enhancementrelease/26.4.0team/core-clients
@tnorimat

Description

@tnorimat
tnorimat
opened on Jul 12, 2025

Description

For Keycloak to fully comply with FAPI 2.0 Security Profile Final, Keycloak needs to do as follows:

According to the item 8 of section 5.3.2.1 of FAPI 2.0 Security Profile Final specification,

  • On receiving a client authentication assertion from a client, Keycloak only accept its issuer identifier value as a string in the aud claim received in the client authentication assertion.
  • the issuer value is equal to the issuer claim value of the server metadata that the client can obtain by accessing well-known URI.

Discussion

No response

Motivation

Making Keycloak fully comply with FAPI 2.0 Security Profile Final specification.

Details

No response

Metadata

Metadata

Assignees

Labels

area/oidcIndicates an issue on OIDC areakind/enhancementCategorizes a PR related to an enhancementrelease/26.4.0team/core-clients

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions
    点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载