Skip to content

fix(identity): add known limitation aud required #7874

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
leiicamundi merged 6 commits into from
Feb 20, 2026
Merged

fix(identity): add known limitation aud required #7874

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1832b1e
fix(identity): add known limitation aud required
leiicamundi Feb 9, 2026
457714e
udpate
leiicamundi Feb 9, 2026
7a761dd
improve wording
leiicamundi Feb 9, 2026
2e5e59b
implement review suggestions
leiicamundi Feb 17, 2026
4c3a3f9
Merge branch 'main' into fix/identit-oidc-aud-req
leiicamundi Feb 17, 2026
145cdc0
Merge branch 'main' into fix/identit-oidc-aud-req
leiicamundi Feb 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions ...ged/components/management-identity/configuration/connect-to-an-oidc-provider.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ If you deploy Camunda 8 Self-Managed with Helm, use the [Helm chart authenticati
- Client secrets
- Audience
- A [claim name and value](/self-managed/components/management-identity/miscellaneous/configuration-variables.md#oidc-configuration) to use for initial access.
- Your OIDC provider must issue access tokens that contain an `aud` (audience) claim matching the configured audience, as Camunda validates this claim for auth flows. Providers that are not configured to emit, or do not emit, the `aud` claim in their access tokens are not supported. Configure your identity provider to emit this claim if supported. See [known limitations](#oidc-provider-known-limitations) for details.

:::note
The steps below are a general approach for the Camunda components; it is important you reference the [component-specific
Expand Down Expand Up @@ -259,3 +260,15 @@ When using [Management Identity](/self-managed/components/management-identity/ov
| User profile management | Fetches user details from the UserInfo endpoint after authentication to personalize the user experience. | <img src={CrossImg} class="table-tick" alt="Unavailable" width="15px"/> |

To request a missing feature, please [contact us](/reference/contact.md).

## OIDC provider known limitations

Camunda requires the `aud` (audience) claim in JWT access tokens for authentication, including machine-to-machine (M2M) flows. The claim must match the configured audience (see [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3)).

OIDC providers that do not include the `aud` claim in access tokens issued via the OAuth 2.0 Client Credentials flow are not compatible with Camunda for M2M authentication.

### AWS Cognito

AWS Cognito does not include the `aud` claim in Client Credentials access tokens, using `client_id` instead. Camunda rejects these tokens with errors such as `Token audiences are [], expected at least one of [...]`, resulting in `UNAUTHENTICATED` errors for Connectors and other M2M clients. Cognito is not currently supported for M2M authentication.

For tracking and updates, see [camunda/camunda#44650](https://github.com/camunda/camunda/issues/44650).
13 changes: 13 additions & 0 deletions ...ged/components/management-identity/configuration/connect-to-an-oidc-provider.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ If you deploy Camunda 8 Self-Managed with Helm, use the [Helm chart authenticati
- Client secrets
- Audience
- A [claim name and value](/self-managed/components/management-identity/miscellaneous/configuration-variables.md#oidc-configuration) to use for initial access.
- Your OIDC provider must issue access tokens that contain an `aud` (audience) claim matching the configured audience, as Camunda validates this claim for auth flows. Providers that are not configured to emit, or do not emit, the `aud` claim in their access tokens are not supported. Configure your identity provider to emit this claim if supported. See [known limitations](#oidc-provider-known-limitations) for details.

:::note
The steps below are a general approach for the Camunda components; it is important you reference the [component-specific
Expand Down Expand Up @@ -259,3 +260,15 @@ When using [Management Identity](/self-managed/components/management-identity/ov
| User profile management | Fetches user details from the UserInfo endpoint after authentication to personalize the user experience. | <img src={CrossImg} class="table-tick" alt="Unavailable" width="15px"/> |

To request a missing feature, please [contact us](/reference/contact.md).

## OIDC provider known limitations

Camunda requires the `aud` (audience) claim in JWT access tokens for authentication, including machine-to-machine (M2M) flows. The claim must match the configured audience (see [RFC 7519](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3)).

OIDC providers that do not include the `aud` claim in access tokens issued via the OAuth 2.0 Client Credentials flow are not compatible with Camunda for M2M authentication.

### AWS Cognito

AWS Cognito does not include the `aud` claim in Client Credentials access tokens, using `client_id` instead. Camunda rejects these tokens with errors such as `Token audiences are [], expected at least one of [...]`, resulting in `UNAUTHENTICATED` errors for Connectors and other M2M clients. Cognito is not currently supported for M2M authentication.

For tracking and updates, see [camunda/camunda#44650](https://github.com/camunda/camunda/issues/44650).
Loading