From 49c1b92753e8747075918e21ae28d43cc3e98c80 Mon Sep 17 00:00:00 2001
From: Dotty Dotter <dotty@Mac-mini-von-Dotty.local>
Date: Fri, 10 Apr 2026 21:32:08 +0200
Subject: [PATCH] =?UTF-8?q?Fix:=20JWT=20aud=3Daccount=20bei=20Keycloak=20P?=
 =?UTF-8?q?ublic=20Clients=20=E2=80=94=20pr=C3=BCfe=20azp=20statt=20aud?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/auth.py | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/app/auth.py b/app/auth.py
index f066c57..eb5f278 100644
--- a/app/auth.py
+++ b/app/auth.py
@@ -122,15 +122,22 @@ async def _validate_token(token: str) -> Optional[dict]:
             logger.warning("JWT kid %s not found in JWKS", kid)
             return None
 
+        # Keycloak setzt aud="account" für Public Clients, nicht den
+        # client_id. Prüfe azp (authorized party) statt aud, und
+        # deaktiviere den strikten aud-Check.
         payload = jwt.decode(
             token,
             rsa_key,
             algorithms=["RS256"],
-            audience=settings.keycloak_client_id,
             issuer=_keycloak_issuer(),
-            options={"verify_exp": True},
+            options={"verify_exp": True, "verify_aud": False},
         )
 
+        # azp muss unserem Client entsprechen
+        if payload.get("azp") != settings.keycloak_client_id:
+            logger.warning("JWT azp %s != expected %s", payload.get("azp"), settings.keycloak_client_id)
+            return None
+
         return {
             "sub": payload.get("sub"),
             "email": payload.get("email", ""),