Hi, Currently new audience values to JWT id_tokens should be added via identity.xml file and server needs to be restarted. With this approach we cannot control the id_token audience at SP level since it gets applied globally through identity.xml based configuration. In this case, we are not able to override the audience values at SP level if the id_token is to be used as a JWT grant in a specific IDP. As a solution to this we are providing the audience configuration option in UI via SP Oauth config UI [1].
The SP Oauth configuration values obtained from the UI are persisted into the DB via *OauthAdminService* using *registerOAuthApplicationData* method. IDN_OAUTH_CONSUMER_APPS table is used to populate Oauth consumer app related data. For storing the audience values we can add another column into this table to keep them as either space or comma separated values as done for the grant_types. However since there can be multiple audience values for a particular id_token we cannot specify a limitation on the column size. I have also considered the following approach. Adding audience values as key-value pairs in SP_INBOUND_AUTH table identified by the oauth app ID. eg: PROP_NAME = 'audience' -> PROP_VALUE = ' https://localhost:9443/oauth2/token' However with application update these values are being deleted by *IdentityApplicationManagementService*'s *updateApplication* method. As a solution to this we could identify following two options: 1. Create a new table to store audience values identified by oauth application's consumer key. 2. Store them as space separated values in IDN_OAUTH_CONSUMER_APPS table by introducing a new column for audiences with above mentioned limitation on adding multiple audiences. Highly appreciate your suggestions on this. [1] https://wso2.org/jira/browse/IDENTITY-5877 Best regards, Sathya -- Sathya Bandara Software Engineer WSO2 Inc. http://wso2.com Mobile: (+94) 715 360 421 <+94%2071%20411%205032> <+94%2071%20411%205032>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
