[ 
https://issues.apache.org/jira/browse/CXF-6753?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Colm O hEigeartaigh closed CXF-6753.
------------------------------------

> OAuth2 audience support is incomplete
> -------------------------------------
>
>                 Key: CXF-6753
>                 URL: https://issues.apache.org/jira/browse/CXF-6753
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>            Reporter: Sergey Beryozkin
>            Assignee: Sergey Beryozkin
>             Fix For: 3.1.5, 3.2.0
>
>
> The audience support in the OAuth2 code was done awhile back based on the now 
> expired draft, and while no standard is available, it is important to update 
> the model now that it is getting integrated into Fediz/etc. Specifically, a 
> single audience is only supported in the model while multiple audiences per 
> token are possible. 
> Token introspection response may include a single or multiple audiences, with 
> a single audience being allowed to be reported as a non-array (as per JWT 
> audience).
> Audience checks need to be updated too. The audience, if reported to the 
> token/authorization endpoint, will have to be contained in the list of client 
> audiences created during the registration. This can be relaxed in the future 
> and become more dynamic 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to