Colm O hEigeartaigh closed CXF-6753.

> OAuth2 audience support is incomplete
> -------------------------------------
>                 Key: CXF-6753
>                 URL: https://issues.apache.org/jira/browse/CXF-6753
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>            Reporter: Sergey Beryozkin
>            Assignee: Sergey Beryozkin
>             Fix For: 3.1.5, 3.2.0
> The audience support in the OAuth2 code was done awhile back based on the now 
> expired draft, and while no standard is available, it is important to update 
> the model now that it is getting integrated into Fediz/etc. Specifically, a 
> single audience is only supported in the model while multiple audiences per 
> token are possible. 
> Token introspection response may include a single or multiple audiences, with 
> a single audience being allowed to be reported as a non-array (as per JWT 
> audience).
> Audience checks need to be updated too. The audience, if reported to the 
> token/authorization endpoint, will have to be contained in the list of client 
> audiences created during the registration. This can be relaxed in the future 
> and become more dynamic 

This message was sent by Atlassian JIRA

Reply via email to