Keycloak Tokenexchange enforcing single audience in id-token

07:38 18 Mar 2026

I have the following scenario:

confidential client "source-client"
confidential client "target-client"

I successfully retrieve an access_token for the "source-client". Then, I use the TokenExchange to get an id_token for the "source-client". The TokenExchange works and i get this id_token:

{
  ...
  "aud": [
    "source-client",
    "target-client"
  ],  
  "typ": "ID",
  "azp": "source-client",
  ...
}

What I want is, that the aud-Claim of the id_token only has one audience: "source-target". Is this possible?

I'm using Keycloak 26.5.5.

keycloak

Your Answer

Privacy & Cookie Consent