On Wed, Aug 23, 2017 at 7:27 PM, Prabath Siriwardena <[email protected]> wrote:
> > > On Wed, Aug 23, 2017 at 4:32 AM, Sathya Bandara <[email protected]> wrote: > >> Hi, >> >> The aud claim in id token is used to identify to which parties the JWT is >> intended for. If the client application needs to process the JWT then it >> should identify itself as a value in the audiences claim. Therefore it is >> valid and rational to have the client ID in the audience claim. >> >> Currently, it is possible to configure the audiences for OpenID Connect >> via identity.xml but it will get applied globally in all SPs. We are going >> to support multiple audience configuration in IS 5.5.0 via the UI similar >> to how its done in SAML. As an improvement to this we can include the >> client identifier in the audience claim as well. >> > > I assume we will let the user define multiple audience values - for an > access token and an ID token, independently? > With the current implementation, the audience values would be configurable through the SP configuration UI (for an Oauth app). Same values can be used for both access token and ID token but not independently. However this can be improved to provide two audience configurations for oauth introspection and ID token. Thanks, Sathya > > Thanks & regards, > -Prabath > > >> >> Thanks, >> Sathya >> >> >> >> On Wed, Aug 23, 2017 at 2:09 PM, Prabath Siriwardena <[email protected]> >> wrote: >> >>> The audience of the ID token is the web app (or it can also have the >>> token endpoint - in case of the JWT grant type) - the audience of the >>> access token is the API (or where it will be used by the web app).. so >>> those can be two different values.. >>> >>> This [1] is a good way we should consider implementing - to request an >>> access token for a given audience.. >>> >>> [1]: https://tools.ietf.org/id/draft-tschofenig-oauth-audience-00.html >>> >>> Thanks & regards, >>> -Prabath >>> >>> >>> >>> On Mon, Aug 21, 2017 at 11:02 PM, Gayan Gunawardana <[email protected]> >>> wrote: >>> >>>> According to OpenID connect specification [1] "aud" value is client id >>>> with identifiers for other audiences. >>>> >>>> { >>>> "iss": "https://server.example.com";, >>>> "sub": "24400320", >>>> "aud": "s6BhdRkqt3", >>>> "nonce": "n-0S6_WzA2Mj", >>>> "exp": 1311281970, >>>> "iat": 1311280970, >>>> "auth_time": 1311280969, >>>> "acr": "urn:mace:incommon:iap:silver" >>>> } >>>> >>>> But in token introspection "aud" value is more like service provider >>>> URL with identifiers for other audiences. >>>> >>>> { >>>> "active": true, >>>> "client_id": "l238j323ds-23ij4", >>>> "username": "jdoe", >>>> "scope": "read write dolphin", >>>> "sub": "Z5O3upPC88QrAjx00dis", >>>> "aud": "https://protected.example.net/resource";, >>>> "iss": "https://server.example.com/";, >>>> "exp": 1419356238, >>>> "iat": 1419350238, >>>> "extension_field": "twenty-seven" >>>> } >>>> >>>> Can we have different Audience values for token introspection response >>>> and ID Token ? If not we can have both as Audience values. >>>> >>>> [1] http://openid.net/specs/openid-connect-core-1_0.html#IDToken >>>> [2] https://tools.ietf.org/html/rfc7662#section-2.2 >>>> >>>> Thanks, >>>> Gayan >>>> >>>> -- >>>> Gayan Gunawardana >>>> Senior Software Engineer; WSO2 Inc.; http://wso2.com/ >>>> Email: [email protected] >>>> Mobile: +94 (71) 8020933 >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> >>> Twitter : @prabath >>> LinkedIn : http://www.linkedin.com/in/prabathsiriwardena >>> >>> Mobile : +1 650 625 7950 <(650)%20625-7950> >>> >>> http://facilelogin.com >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Sathya Bandara >> Software Engineer >> WSO2 Inc. http://wso2.com >> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >> >> <+94%2071%20411%205032> >> > > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 <(650)%20625-7950> > > http://facilelogin.com > -- Sathya Bandara Software Engineer WSO2 Inc. http://wso2.com Mobile: (+94) 715 360 421 <+94%2071%20411%205032> <+94%2071%20411%205032>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
