Keycloak Clients, JWT Tokens, and Validation

1️⃣ What is a Keycloak Client?

A client in Keycloak represents an application that requires authentication and authorization. Clients can be:

• Frontend applications (React, Angular, Vue, Mobile Apps)
• Backend APIs (Spring Boot, NestJS, Microservices)
• External services (Grafana, Jenkins, GitHub)
• Command-line tools (CLI applications)

Each client in Keycloak is registered under a realm and can use OpenID Connect (OIDC) or SAML for authentication.

2️⃣ How JWT Tokens Work with Multiple Clients

Keycloak issues JWT tokens to clients after authentication. Tokens contain:

• Issuer (iss) → Keycloak realm URL
• Subject (sub) → Unique User ID
• Audience (aud) → The client the token was issued for
• Expiration (exp) → Token validity period
• Roles & Permissions (realm_access.roles) → User permissions

🚀 Example JWT Structure:

{
  "iss": "<https://keycloak.example.com/realms/my-realm>",
  "sub": "USER_ID",
  "aud": "web-client",
  "exp": 1717651200,
  "realm_access": {
    "roles": ["USER", "ADMIN"]
  }
}

✅ The aud field ensures tokens are validated against the correct client.