verikloak-audience 0.2.8 → 0.2.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +13 -0
- data/README.md +97 -0
- data/lib/verikloak/audience/version.rb +1 -1
- metadata +4 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 53894e2af5f290a98ec6f438b9d0271e1f8e86d18c6404c9b0394c5cd5741312
|
|
4
|
+
data.tar.gz: 0cc799a43b2559f34113e6d738d1e2ee004c1292c86115dc83918ca32aeef04f
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 9536f08a7ce2f5de4113483215386221dec1867c6affbea7a0e3074239017c1d7e0d4135476f72cf45cbda1de2fc17781fdf9662d038eb110afdb336a5ee6bb3
|
|
7
|
+
data.tar.gz: 5730013314cd5dd393c9936256a5fe31cb3aa13fac4c3dda6dabb7ca308424167235d0482167f2cc92c13e26ee5bdef23eaeddab5f01b7898ea31474aeb3211d
|
data/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
---
|
|
9
9
|
|
|
10
|
+
## [0.2.9] - 2025-12-31
|
|
11
|
+
|
|
12
|
+
### Added
|
|
13
|
+
- **Keycloak Integration** documentation section in README:
|
|
14
|
+
- Default audience behavior explanation (Access Token: `"account"`, ID Token: Client ID)
|
|
15
|
+
- Step-by-step guide for configuring Audience Mapper in Keycloak
|
|
16
|
+
- Configuration examples using `:allow_account` profile and array audiences
|
|
17
|
+
- Troubleshooting guide with JWT decoding commands
|
|
18
|
+
|
|
19
|
+
### Documentation
|
|
20
|
+
- Added guidance for common Keycloak + audience validation issues
|
|
21
|
+
- Clarified the relationship between Keycloak client configuration and token `aud` claims
|
|
22
|
+
|
|
10
23
|
## [0.2.8] - 2025-09-28
|
|
11
24
|
|
|
12
25
|
### Changed
|
data/README.md
CHANGED
|
@@ -71,6 +71,103 @@ See [`examples/rack.ru`](examples/rack.ru) for a full Rack sample. In Rails, alw
|
|
|
71
71
|
- When audience validation fails, the middleware consults `env['verikloak.logger']`, `env['rack.logger']`, and `env['action_dispatch.logger']` (in that order) before falling back to Ruby's `Kernel#warn`, keeping failure logs consistent with Rails and Verikloak observers.
|
|
72
72
|
- For the `:resource_or_aud` profile, `resource_client` must match one of the values in `required_aud`. A single-element `required_aud` automatically infers the client id, ensuring the same client identifier is shared with downstream BFF/Pundit integrations.
|
|
73
73
|
|
|
74
|
+
## Keycloak Integration
|
|
75
|
+
|
|
76
|
+
### Default Audience Behavior
|
|
77
|
+
|
|
78
|
+
Keycloak access tokens include `aud: "account"` by default. This is often unexpected for developers who expect the client ID to appear in the audience claim.
|
|
79
|
+
|
|
80
|
+
| Token Type | Default `aud` Value |
|
|
81
|
+
|------------|---------------------|
|
|
82
|
+
| Access Token | `"account"` |
|
|
83
|
+
| ID Token | Client ID |
|
|
84
|
+
|
|
85
|
+
### Common Issue
|
|
86
|
+
|
|
87
|
+
```ruby
|
|
88
|
+
# Configuration
|
|
89
|
+
config.verikloak.audience = 'rails-api'
|
|
90
|
+
|
|
91
|
+
# Actual token payload
|
|
92
|
+
{
|
|
93
|
+
"aud": "account", # NOT "rails-api"!
|
|
94
|
+
"sub": "user-123",
|
|
95
|
+
...
|
|
96
|
+
}
|
|
97
|
+
|
|
98
|
+
# Result: 403 Forbidden - audience validation fails
|
|
99
|
+
```
|
|
100
|
+
|
|
101
|
+
### Solution: Configure Audience Mapper in Keycloak
|
|
102
|
+
|
|
103
|
+
To add a custom audience to access tokens:
|
|
104
|
+
|
|
105
|
+
1. Go to **Clients** → Select your client (e.g., `rails-api`)
|
|
106
|
+
2. Navigate to **Client scopes** tab
|
|
107
|
+
3. Click on the dedicated scope (e.g., `rails-api-dedicated`)
|
|
108
|
+
4. Go to **Mappers** tab → **Add mapper** → **By configuration**
|
|
109
|
+
5. Select **Audience**
|
|
110
|
+
6. Configure:
|
|
111
|
+
- **Name**: `rails-api-audience`
|
|
112
|
+
- **Included Client Audience**: `rails-api`
|
|
113
|
+
- **Add to access token**: ON
|
|
114
|
+
7. Save
|
|
115
|
+
|
|
116
|
+
After this configuration, tokens will include:
|
|
117
|
+
```json
|
|
118
|
+
{
|
|
119
|
+
"aud": ["rails-api", "account"],
|
|
120
|
+
...
|
|
121
|
+
}
|
|
122
|
+
```
|
|
123
|
+
|
|
124
|
+
### Configuration Examples
|
|
125
|
+
|
|
126
|
+
#### Option 1: Allow both custom and account audience
|
|
127
|
+
|
|
128
|
+
```ruby
|
|
129
|
+
# config/initializers/verikloak.rb
|
|
130
|
+
Rails.application.configure do
|
|
131
|
+
config.verikloak.audience = ['rails-api', 'account']
|
|
132
|
+
end
|
|
133
|
+
```
|
|
134
|
+
|
|
135
|
+
#### Option 2: Use :allow_account profile
|
|
136
|
+
|
|
137
|
+
```ruby
|
|
138
|
+
# With verikloak-audience middleware
|
|
139
|
+
use Verikloak::Audience::Middleware,
|
|
140
|
+
profile: :allow_account,
|
|
141
|
+
required_aud: ['rails-api']
|
|
142
|
+
```
|
|
143
|
+
|
|
144
|
+
#### Option 3: Strict single audience (requires Keycloak Mapper)
|
|
145
|
+
|
|
146
|
+
```ruby
|
|
147
|
+
# Only works if Keycloak Audience Mapper is configured
|
|
148
|
+
use Verikloak::Audience::Middleware,
|
|
149
|
+
profile: :strict_single,
|
|
150
|
+
required_aud: ['rails-api']
|
|
151
|
+
```
|
|
152
|
+
|
|
153
|
+
### Troubleshooting
|
|
154
|
+
|
|
155
|
+
#### "Audience validation failed" errors
|
|
156
|
+
|
|
157
|
+
1. Check your token's `aud` claim:
|
|
158
|
+
```bash
|
|
159
|
+
# Decode JWT (paste your token)
|
|
160
|
+
echo "YOUR_TOKEN" | cut -d. -f2 | base64 -d | jq .aud
|
|
161
|
+
```
|
|
162
|
+
|
|
163
|
+
2. If `aud` is only `"account"`:
|
|
164
|
+
- Add an Audience Mapper in Keycloak (see above)
|
|
165
|
+
- OR use `:allow_account` profile
|
|
166
|
+
|
|
167
|
+
3. If using oauth2-proxy:
|
|
168
|
+
- Ensure the correct client ID is configured
|
|
169
|
+
- Check that the token is being forwarded correctly
|
|
170
|
+
|
|
74
171
|
## Testing
|
|
75
172
|
All pull requests and pushes are automatically tested with [RSpec](https://rspec.info/) and [RuboCop](https://rubocop.org/) via GitHub Actions.
|
|
76
173
|
See the CI badge at the top for current build status.
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: verikloak-audience
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.2.
|
|
4
|
+
version: 0.2.9
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- taiyaky
|
|
@@ -35,7 +35,7 @@ dependencies:
|
|
|
35
35
|
requirements:
|
|
36
36
|
- - ">="
|
|
37
37
|
- !ruby/object:Gem::Version
|
|
38
|
-
version: 0.
|
|
38
|
+
version: 0.3.0
|
|
39
39
|
- - "<"
|
|
40
40
|
- !ruby/object:Gem::Version
|
|
41
41
|
version: 1.0.0
|
|
@@ -45,7 +45,7 @@ dependencies:
|
|
|
45
45
|
requirements:
|
|
46
46
|
- - ">="
|
|
47
47
|
- !ruby/object:Gem::Version
|
|
48
|
-
version: 0.
|
|
48
|
+
version: 0.3.0
|
|
49
49
|
- - "<"
|
|
50
50
|
- !ruby/object:Gem::Version
|
|
51
51
|
version: 1.0.0
|
|
@@ -76,7 +76,7 @@ metadata:
|
|
|
76
76
|
source_code_uri: https://github.com/taiyaky/verikloak-audience
|
|
77
77
|
changelog_uri: https://github.com/taiyaky/verikloak-audience/blob/main/CHANGELOG.md
|
|
78
78
|
bug_tracker_uri: https://github.com/taiyaky/verikloak-audience/issues
|
|
79
|
-
documentation_uri: https://rubydoc.info/gems/verikloak-audience/0.2.
|
|
79
|
+
documentation_uri: https://rubydoc.info/gems/verikloak-audience/0.2.9
|
|
80
80
|
rubygems_mfa_required: 'true'
|
|
81
81
|
rdoc_options: []
|
|
82
82
|
require_paths:
|