Farasath Ahamed Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
On Wed, Aug 23, 2017 at 1:58 PM, Gayan Gunawardana <[email protected]> wrote: > > > On Wed, Aug 23, 2017 at 1:46 PM, Asela Pathberiya <[email protected]> wrote: > >> >> >> On Tue, Aug 22, 2017 at 11:32 AM, Gayan Gunawardana <[email protected]> >> wrote: >> >>> According to OpenID connect specification [1] "aud" value is client id >>> with identifiers for other audiences. >>> >>> { >>> "iss": "https://server.example.com";, >>> "sub": "24400320", >>> "aud": "s6BhdRkqt3", >>> "nonce": "n-0S6_WzA2Mj", >>> "exp": 1311281970, >>> "iat": 1311280970, >>> "auth_time": 1311280969, >>> "acr": "urn:mace:incommon:iap:silver" >>> } >>> >>> But in token introspection "aud" value is more like service provider URL >>> with identifiers for other audiences. >>> >> >> Where is it mentioned that it must be the SP URL. I guess it must be >> some kind of identification such as client id. Isn't it ? >> > Yes no it is not a URL but kind of URI which represent service provider. > According to offline chat had with Ruwan in Oauth/OpenID connect > configuration there should be a way to configure Audiences like in SAML. > We do have a way to do this for OpenID Connect via identity.xml from IS 5.2.0. We did this so that our id_token could be used as a JWT Bearer Grant. JWT Bearer grant requires the authorization server's token endpoint or it alias to be included as a audience. <OpenIDConnect> <IDTokenBuilder>org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder</IDTokenBuilder> <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm> <!-- Comment out to add Audience values to the JWT token (id_token) --> *<!--Audiences>* * <Audience>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token</Audience>* * </Audiences -->* </OpenIDConnect> But of course that would be a global value. So we might have to do an improvement to define that per Service Provider > >> >>> >>> { >>> "active": true, >>> "client_id": "l238j323ds-23ij4", >>> "username": "jdoe", >>> "scope": "read write dolphin", >>> "sub": "Z5O3upPC88QrAjx00dis", >>> "aud": "https://protected.example.net/resource";, >>> "iss": "https://server.example.com/";, >>> "exp": 1419356238, >>> "iat": 1419350238, >>> "extension_field": "twenty-seven" >>> } >>> >>> Can we have different Audience values for token introspection response >>> and ID Token ? If not we can have both as Audience values. >>> >>> [1] http://openid.net/specs/openid-connect-core-1_0.html#IDToken >>> [2] https://tools.ietf.org/html/rfc7662#section-2.2 >>> >>> Thanks, >>> Gayan >>> >>> -- >>> Gayan Gunawardana >>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: [email protected] >>> Mobile: +94 (71) 8020933 >>> >> >> >> >> -- >> Thanks & Regards, >> Asela >> >> ATL >> Mobile : +94 777 625 933 <+94%2077%20762%205933> >> +358 449 228 979 >> >> http://soasecurity.org/ >> http://xacmlinfo.org/ >> > > > > -- > Gayan Gunawardana > Senior Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
