oauth2: Resolves various issues related to audience claims

This patch resolves issues related to the ID and Access Token audience claim: * oauth2: Allow multiple audience claims on ID token - closes #790 * oauth2: Reintroduce audience claim - closes #687
ory · May 29, 2018 · 7afed88 · 7afed88
1 parent 608cc3d
commit 7afed88
Showing 1 changed file with 4 additions and 1 deletion.
diff --git a/oauth2/handler.go b/oauth2/handler.go
@@ -461,7 +461,8 @@ func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprout
 	response, err := h.OAuth2.NewAuthorizeResponse(ctx, authorizeRequest, &Session{
 		DefaultSession: &openid.DefaultSession{
 			Claims: &jwt.IDTokenClaims{
-				Audience:    authorizeRequest.GetClient().GetID(),
+				// We do not need to pass the audience because it's included directly by ORY Fosite
+				//Audience:    []string{authorizeRequest.GetClient().GetID()},
 				Subject:     session.ConsentRequest.Subject,
 				Issuer:      h.IssuerURL,
 				IssuedAt:    time.Now().UTC(),
@@ -475,6 +476,8 @@ func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprout
 			Subject: session.ConsentRequest.Subject,
 		},
 		Extra: session.Session.AccessToken,
+		// Here, we do not include the client because it's typically not the audience.
+		Audience: []string{},
 	})
 	if err != nil {
 		pkg.LogError(err, h.L)