fix: remove audience parameter from Keycloak config to fix production auth

flowcore-platform · flowcore-platform · commit 5e8e654fd678 · 2026-01-20T16:39:12.000Z
Root cause: Keycloak access tokens with explicit audience claim (audience: USABLE_CLIENT_ID) were being rejected by the Usable API with 401 Unauthorized errors. Changes: - Remove audience parameter from Keycloak authorization config - Add token prefix logging to Usable API service for debugging - Minor middleware formatting cleanup Impact: Users can now successfully authenticate and access workspaces in production (https://graphable.usable.dev) Evidence from groundcover: - Auth succeeded, tokens stored correctly - But Usable API returned "Unauthorized" on workspace fetch - Pattern: successful sign-in followed by API rejection Solution: Keycloak now issues tokens with default audience that are compatible with Usable API expectations. Refs: Usable fragment 9a6f4b48-d34b-4d4a-8267-dae00ebcf25d
diff --git a/lib/auth.ts b/lib/auth.ts
@@ -128,8 +128,6 @@ export const authOptions: NextAuthOptions = {
       authorization: {
         params: {
           scope: "openid email profile offline_access",
-          // Request token with correct audience for MCP server
-          audience: env.USABLE_CLIENT_ID,
           // Enable PKCE (Proof Key for Code Exchange) to prevent double-submit and code replay attacks
           code_challenge_method: "S256",
         },
diff --git a/lib/services/usable-api.service.ts b/lib/services/usable-api.service.ts
@@ -97,6 +97,8 @@ export class UsableApiService {
           errorDetails: errorData.details ? JSON.stringify(errorData.details, null, 2) : undefined,
           endpoint,
           method: fetchOptions.method || "GET",
+          // Log token prefix for debugging (not the full token)
+          tokenPrefix: accessToken ? `${accessToken.substring(0, 20)}...` : undefined,
         })
         throw new Error(errorMessage)
       }
diff --git a/middleware.ts b/middleware.ts
@@ -74,7 +74,5 @@ export default withAuth(
 )
 
 export const config = {
-  matcher: [
-    "/((?!_next/static|_next/image|favicon.ico|api/health|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
-  ],
+  matcher: ["/((?!_next/static|_next/image|favicon.ico|api/health|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)"],
 }

Original file line number	Diff line number	Diff line change
`@@ -97,6 +97,8 @@ export class UsableApiService {`
`97`	`97`	`errorDetails: errorData.details ? JSON.stringify(errorData.details, null, 2) : undefined,`
`98`	`98`	`endpoint,`
`99`	`99`	`method: fetchOptions.method \|\| "GET",`
	`100`	`+ // Log token prefix for debugging (not the full token)`
	`101`	+ tokenPrefix: accessToken ? `${accessToken.substring(0, 20)}...` : undefined,
`100`	`102`	`})`
`101`	`103`	`throw new Error(errorMessage)`
`102`	`104`	`}`
Original file line number	Diff line number	Diff line change
`@@ -74,7 +74,5 @@ export default withAuth(`
`74`	`74`	`)`
`75`	`75`
`76`	`76`	`export const config = {`
`77`		`- matcher: [`
`78`		`- "/((?!_next/static\|_next/image\|favicon.ico\|api/health\|.\\.(?:svg\|png\|jpg\|jpeg\|gif\|webp)$).)",`
`79`		`- ],`
	`77`	`+ matcher: ["/((?!_next/static\|_next/image\|favicon.ico\|api/health\|.\\.(?:svg\|png\|jpg\|jpeg\|gif\|webp)$).)"],`
`80`	`78`	`}`