Sergey Beryozkin created CXF-6753:
-------------------------------------
Summary: OAuth2 audience support is incomplete
Key: CXF-6753
URL: https://issues.apache.org/jira/browse/CXF-6753
Project: CXF
Issue Type: Bug
Components: JAX-RS, JAX-RS Security
Reporter: Sergey Beryozkin
Assignee: Sergey Beryozkin
Fix For: 3.1.5, 3.2.0
The audience support in the OAuth2 code was done awhile back based on the now
expired draft, and while no standard is available, it is important to update
the model now that it is getting integrated into Fediz/etc. Specifically, a
single audience is only supported in the model while multiple audiences per
token are possible.
Token introspection response may include a single or multiple audiences, with a
single audience being allowed to be reported as a non-array (as per JWT
audience).
Audience checks need to be updated too. The audience, if reported to the
token/authorization endpoint, will have to be contained in the list of client
audiences created during the registration. This can be relaxed in the future
and become more dynamic
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
