How to use Tokenexchange and enforcing single audience in id-token

spoerl · March 19, 2026, 5:17am

I have the following scenario:

confidential client “source-client”
confidential client “target-client”

I successfully retrieve an access_token for the “source-client”. Then, I use the TokenExchange to get an id_token for the “source-client”. The TokenExchange works and i get this id_token:

{
  ...
  "aud": [
    "source-client",
    "target-client"
  ],  
  "typ": "ID",
  "azp": "source-client",
  ...
}

What I want is, that the aud-Claim of the id_token only has one audience: “source-target”. Is this possible?

I’m using Keycloak 26.5.5.

robson90 · March 19, 2026, 7:30pm

Would that mean you want the aud claim from the original client, before the token exchange ?

spoerl · March 20, 2026, 7:14am

At first, the user authenticates for the “source-client”, so i get an accessToken

{
"exp": 1773984779,
"iat": 1773984479,
"auth_time": 1773984479,
"jti": "onrtac:3dda0bfd-bcdd-b07c-5a59-acf1b97538e7",
"iss": "https://keycloak/realms/test",
"sub": "3b40ee26-806a-43c4-9273-b0b38951c867",
"typ": "Bearer",
"azp": "source-client",
"sid": "M-hiB1g4L-cbTbcugD73WCbB",
"acr": "1",
"allowed-origins": [
"\*"
],
"scope": "openid email profile",
"email_verified": true,
"name": "TESTUSER",
"preferred_username": "TESTUSER"
}

With the accessToken i make an TokenExchange-Request to get an id_token for the “target-client”. For the request i user this parameters:

 { "grant_type", "urn:ietf:params:oauth:grant-type:token-exchange" },
 { "client_id", "source-client" },
 { "client_secret", "CLIENT_SECRET_OF_SOURCE_CLIENT" },

 { "subject_token", userAccessToken },
 { "subject_token_type", "urn:ietf:params:oauth:token-type:access_token" },

 { "requested_token_type", "urn:ietf:params:oauth:token-type:id_token" },

 { "scope", "allow-target-client" }
 { "audience", "target-client"}

As the result i get this id_token:

{
...
"aud": [
"source-client",
"target-client"
],
"typ": "ID",
"azp": "source-client",
...
}

What i want is this (not “target-client” in the aud-claim):

{
...
"aud": [
"target-client"
],
"typ": "ID",
"azp": "source-client",
...
}

Topic		Replies	Views
Keycloak Token exchange Error - Client is not within the token audience Getting advice token-exchange	1	152	August 2, 2024
No Token Exchange from service accounts in Keycloak 14 Securing applications	0	1014	July 12, 2021
Enforce single audience in access token Getting advice	2	3147	December 14, 2020
Token exchange error with an exchanged token as subject token Getting advice authentication , oidc	1	845	December 5, 2023
Refresh exchanged token Securing applications	0	407	December 13, 2021

How to use Tokenexchange and enforcing single audience in id-token

Related topics