On Wed, Aug 23, 2017 at 4:32 AM, Sathya Bandara <[email protected]> wrote:
> Hi, > > The aud claim in id token is used to identify to which parties the JWT is > intended for. If the client application needs to process the JWT then it > should identify itself as a value in the audiences claim. Therefore it is > valid and rational to have the client ID in the audience claim. > > Currently, it is possible to configure the audiences for OpenID Connect > via identity.xml but it will get applied globally in all SPs. We are going > to support multiple audience configuration in IS 5.5.0 via the UI similar > to how its done in SAML. As an improvement to this we can include the > client identifier in the audience claim as well. > I assume we will let the user define multiple audience values - for an access token and an ID token, independently? Thanks & regards, -Prabath > > Thanks, > Sathya > > > > On Wed, Aug 23, 2017 at 2:09 PM, Prabath Siriwardena <[email protected]> > wrote: > >> The audience of the ID token is the web app (or it can also have the >> token endpoint - in case of the JWT grant type) - the audience of the >> access token is the API (or where it will be used by the web app).. so >> those can be two different values.. >> >> This [1] is a good way we should consider implementing - to request an >> access token for a given audience.. >> >> [1]: https://tools.ietf.org/id/draft-tschofenig-oauth-audience-00.html >> >> Thanks & regards, >> -Prabath >> >> >> >> On Mon, Aug 21, 2017 at 11:02 PM, Gayan Gunawardana <[email protected]> >> wrote: >> >>> According to OpenID connect specification [1] "aud" value is client id >>> with identifiers for other audiences. >>> >>> { >>> "iss": "https://server.example.com";, >>> "sub": "24400320", >>> "aud": "s6BhdRkqt3", >>> "nonce": "n-0S6_WzA2Mj", >>> "exp": 1311281970, >>> "iat": 1311280970, >>> "auth_time": 1311280969, >>> "acr": "urn:mace:incommon:iap:silver" >>> } >>> >>> But in token introspection "aud" value is more like service provider URL >>> with identifiers for other audiences. >>> >>> { >>> "active": true, >>> "client_id": "l238j323ds-23ij4", >>> "username": "jdoe", >>> "scope": "read write dolphin", >>> "sub": "Z5O3upPC88QrAjx00dis", >>> "aud": "https://protected.example.net/resource";, >>> "iss": "https://server.example.com/";, >>> "exp": 1419356238, >>> "iat": 1419350238, >>> "extension_field": "twenty-seven" >>> } >>> >>> Can we have different Audience values for token introspection response >>> and ID Token ? If not we can have both as Audience values. >>> >>> [1] http://openid.net/specs/openid-connect-core-1_0.html#IDToken >>> [2] https://tools.ietf.org/html/rfc7662#section-2.2 >>> >>> Thanks, >>> Gayan >>> >>> -- >>> Gayan Gunawardana >>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: [email protected] >>> Mobile: +94 (71) 8020933 >>> >> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Twitter : @prabath >> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >> >> Mobile : +1 650 625 7950 <(650)%20625-7950> >> >> http://facilelogin.com >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Sathya Bandara > Software Engineer > WSO2 Inc. http://wso2.com > Mobile: (+94) 715 360 421 <+94%2071%20411%205032> > > <+94%2071%20411%205032> > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
