Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

token-exchange

Describe the bug

It appears that after the upgrade of our Keycloak instance from 26.2.5 to 26.3.5, for some clients, spread across realms, the access token suddenly no longer contains the audience claim although it is configured as a dedicated mapper.

In one of the cases we see that for a single realm, older clients are working as expecting while newer clients (we believe that these were created while running version 26.2.5) are not returning the audience claim in the access token.

Version

26.3.5

Regression

• The issue is a regression

Expected behavior

The access token I request should contain the audience claim.

Actual behavior

The access token is missing the audience claim although it is configured as a dedicated mapper.

How to Reproduce?

• Create a new client in existing realm
• Enable client authentication and only the service accounts role authentication flow
• Add audience claim to the dedicated client scope
  -- Mapper type: Audience
  -- Name: Audience
  -- Included Client Audience: set to the client itself
  -- Add to access token: On
  -- Add to token introspection: On
• Full scope allowed: off
• Request an access token
• Notice that the audience claim is not part of the access token

Anything else?

No response