fix: Disable audience validation by default in Keycloak example

Keycloak tokens don't include 'aud' claim by default. Changed example to
disable audience validation for development (audience=None). Production
deployments should configure Keycloak audience mappers and set the
FASTMCP_SERVER_AUTH_KEYCLOAK_AUDIENCE environment variable.

Author: stephaneberle9

docs/integrations/keycloak.mdx

@@ -111,7 +111,9 @@ If you prefer using Docker Compose instead, you may want to have a look at the [
 ### Step 2: FastMCP Configuration
 
 <Warning>
-**Security Best Practice**: Always configure the `audience` parameter in production environments. Without audience validation, your server will accept tokens issued for *any* audience, including tokens meant for completely different services. Set `audience` to your resource server identifier (typically your server's base URL) to ensure tokens are specifically intended for your server.
+**Security Best Practice**: For production environments, always configure the `audience` parameter. Without audience validation, your server will accept tokens issued for *any* audience, including tokens meant for completely different services.
+
+**Important**: Keycloak doesn't include the `aud` claim in tokens by default. For the example below to work out-of-the-box, audience validation is disabled. For production, configure Keycloak audience mappers and set `audience` to your resource server identifier (typically your server's base URL) to ensure tokens are specifically intended for your server.
 </Warning>
 
 Create your FastMCP server file and use the KeycloakAuthProvider to handle all the OAuth integration automatically:
@@ -127,7 +129,7 @@ auth_provider = KeycloakAuthProvider(
     realm_url="http://localhost:8080/realms/fastmcp",  # Your Keycloak realm URL
     base_url="http://localhost:8000",                  # Your server's public URL
     required_scopes=["openid", "profile"],             # Required OAuth scopes
-    audience="http://localhost:8000",                  # Recommended: validate token audience
+    # audience="http://localhost:8000",                # For production: configure Keycloak audience mappers first
 )
 
 # Create FastMCP server with auth

examples/auth/keycloak_auth/README.md

@@ -38,7 +38,8 @@ Manually import the realm:
    ```bash
    export FASTMCP_SERVER_AUTH_KEYCLOAK_REALM_URL="http://localhost:8080/realms/fastmcp"
    export FASTMCP_SERVER_AUTH_KEYCLOAK_BASE_URL="http://localhost:8000"
-   # Optional: Set audience for token validation (defaults to base_url if not set)
+   # Optional: Set audience for token validation (disabled by default)
+   # For production, configure Keycloak audience mappers first, then uncomment:
    # export FASTMCP_SERVER_AUTH_KEYCLOAK_AUDIENCE="http://localhost:8000"
    ```
 

examples/auth/keycloak_auth/server.py

@@ -8,7 +8,7 @@
 
 Optional environment variables:
 - FASTMCP_SERVER_AUTH_KEYCLOAK_REQUIRED_SCOPES: Required OAuth scopes (default: "openid,profile")
-- FASTMCP_SERVER_AUTH_KEYCLOAK_AUDIENCE: Audience for JWT validation (default: base_url)
+- FASTMCP_SERVER_AUTH_KEYCLOAK_AUDIENCE: Audience for JWT validation (default: None for development)
 
 To run:
     python server.py
@@ -36,13 +36,15 @@
 required_scopes = os.getenv(
     "FASTMCP_SERVER_AUTH_KEYCLOAK_REQUIRED_SCOPES", "openid,profile"
 )
-audience = os.getenv("FASTMCP_SERVER_AUTH_KEYCLOAK_AUDIENCE", base_url)
+# Note: Audience validation is disabled by default for this development example.
+# For production, configure Keycloak audience mappers and set FASTMCP_SERVER_AUTH_KEYCLOAK_AUDIENCE
+audience = os.getenv("FASTMCP_SERVER_AUTH_KEYCLOAK_AUDIENCE")
 
 auth = KeycloakAuthProvider(
     realm_url=realm_url,
     base_url=base_url,
     required_scopes=required_scopes,
-    audience=audience,  # Validate token audience for security
+    audience=audience,  # None by default for development
 )
 
 mcp = FastMCP("Keycloak OAuth Example Server", auth=auth)