Comments (8)
@muhlemmer @livio-a Is there a reason why we have an array in the aud?
Does that change with the new version of the OIDC lib?
from oidc.
I've just checked section 4 and can't see a conflict in the implementation.
note the could:
Below is an example JSON object that could be encoded to produce the JWT Claims Set for a JWT:
Further the JWT RFC 7519 (https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3) states that
[...] In the general case, the "aud" value is an array of case-
sensitive strings, each containing a StringOrURI value. In the
special case when the JWT has one audience, the "aud" value MAY be a
single case-sensitive string containing a StringOrURI value.
We certainly improve the serialization of a single string audience into a string, but i wouldn't classify it as a bug then.
from oidc.
I second @livio-a his conclusion that our current implementation is valid. I just checked it without knowing he already replied.
causing errors when connecting to systems that require audience be a string value.
@Kunde21, can you be specific which systems are breaking on this? How would those systems handle multiple audience values? Would be strange if they work properly with multiple values (which they should) and break on a single value in an array.
Have you considered raising a bug or ticket at the "other" system?
We certainly improve the serialization of a single string audience into a string, but i wouldn't classify it as a bug then.
@livio-a we would end up again with more custom json marshalling on any claims bearing object, if we want to be consistent. Or use a separate type for all claims that allow the switch between string or array and have a marshal method on that. Either way it sounds like more code to maintain. I would abstain until it's proven to be absolutely necessary by the OP or others.
from oidc.
We certainly improve the serialization of a single string audience into a string, but i wouldn't classify it as a bug then.
@livio-a we would end up again with more custom json marshalling on any claims bearing object, if we want to be consistent. Or use a separate type for all claims that allow the switch between string or array and have a marshal method on that. Either way it sounds like more code to maintain. I would abstain until it's proven to be absolutely necessary by the OP or others.
You're right. As the RFC even uses MAY and not SHOULD it's even less necessary.
from oidc.
The context here are FAPI compliant auth servers at financial institutions that take a very strict reading of the FAPI part 2 Section 5.2.3:
In addition, the confidential client:
...
10. shall send the aud claim in the request object as the OP's Issuer Identifier URL
...
The token exchange fails for any value of aud
that does not match the issuer (in some cases) or the token endpoint (in the rest).
from oidc.
And a FAPI compliance test is failing with a single value was set to an array? Or is this a theoretical discussion?
from oidc.
This is an active, production system that is being integrated upon. The oidc server is not going to change in this scenario.
from oidc.
After some digging we found this conformance suite discussion.
Practically, the FAPI test suite introduces the error as it gives the idea the Audience should be a string. But that's a bug is the suite. Meanwhile, what I get from this comment is that the conformance test automatically flattens the array and therefore accepting implicitly a single element array during RP testing.
If it helps, I would be open to a PR that implements a Marshal
method on the oidc.Audience
type. And hope there are no OPs out there that only accept arrays.
from oidc.
Related Issues (20)
- Add HS256 support HOT 1
- client/rs: error when issuer discovery has no introspection endpoint HOT 3
- callback always returns state param, even if empty HOT 1
- Can't revoke token HOT 1
- allow to set audiences for device authorization
- return an ID token with Device Authorizaiton HOT 1
- [Spike]: OpenID Conformance testing suite
- Need to add a "typ":"JWT" header to my tokens HOT 1
- proposal(op): new server interface to replace storage HOT 8
- state always returned in access token response HOT 2
- [Bug]: Client Assertion token request includes basic auth header HOT 3
- PKCE support is not enough HOT 1
- use trace id of external service HOT 2
- Allow custom forwarded header HOT 2
- [Bug]: client invalid signature when OIDC server is restarted HOT 2
- The automated release is failing 🚨
- [Bug]: nil pointer dereference in `crypto.BytesToPrivateKey` HOT 3
- Access to auto discovery configuration HOT 3
- Allow empty nonce from ID Tokens issued from Refresh Tokens HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oidc.