[
https://issues.apache.org/jira/browse/DIRKRB-435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14975590#comment-14975590
]
Jiajia Li commented on DIRKRB-435:
----------------------------------
In Token-preauth.pdf under directory-kerby/docs, there is a desciption of
audience:
""aud" (Audience) Claim. This claim SHOULD specify the token audience
appropriately, for Identity Token, the value SHOULD be the principal name of
the Ticket Granting Service including the realm; for Access Token the value
SHOULD be the principal name of the target service including the realm. The
mechanism uses this attribute to determine the input token is an Identity Token
or an Access Token."
So we can check the idtoken audience with tgs principal.
> JWT Audience restriction validation is not working
> --------------------------------------------------
>
> Key: DIRKRB-435
> URL: https://issues.apache.org/jira/browse/DIRKRB-435
> Project: Directory Kerberos
> Issue Type: Bug
> Reporter: Colm O hEigeartaigh
> Fix For: 1.0.0-RC2
>
>
> When specifying a different JWT audience restriction value in the tests,
> validation is not failing. See the @Ignored test "testBadAudienceRestriction"
> in WithAccessTokenKdcTest/WithIdentityTokenKdcTest in the source.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
