To prevent access tokens issued by the same Keycloak server, but meant for other services, to be used with our API Gateway we can set an "Audience" for the generated tokens. For more info see the Keycloak documentation on this subject.
For how to add a hardcoded audience to a Keycloak client see the docs.
Here is a short summary:
- Create a "Client Scope", e.g.
- Disable "Include In Token Scope" and "Display On Consent Screen" (not strictly needed, but it's not a real scope)
- Go to "Mappers" and "Create" a new mapper
- "Mapper Type" is "Audience", set "Included Custom Audience" to
api-gwand enable "Add to access token"
By adding this client scope to a client the generated tokens will have their
aud field set to
The resource server (API-GW) then needs to check that the (valid) access token
as the audience
api-gw and if not reject the token because it was meant for