Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oauth2: Reintroduce audience claim #687

Closed
aeneasr opened this issue Dec 8, 2017 · 3 comments
Closed

oauth2: Reintroduce audience claim #687

aeneasr opened this issue Dec 8, 2017 · 3 comments
Assignees
@aeneasr
Labels
feat New feature or request. package/consent package/oauth2
Milestone
v1.0.0

Comments

@aeneasr
Copy link
Member

aeneasr commented Dec 8, 2017
edited
Loading

It is not possible to set the audience claim in the consent acceptance payload, and it's not possible to retrieve it using the warden API, nor the introspection API. To add it, it must probably be introduced as part of the session.
@aeneasr aeneasr added this to the unplanned milestone Jan 15, 2018
@aeneasr aeneasr modified the milestones: unplanned, 1.0.0 Feb 9, 2018
@someone1
Copy link
Contributor

The session seems to persist the request.Form so maybe this can already be done with slight modification of the challenge session persistence?

If a request comes to the /oauth2/auth handler with an audience URL parameter (in addition to the client_id, state, redirect_uri, etc. like Auth0 does), then this can be persisted in the ConsentRequest and returned as part of the Session.

Side note, it looks like hydra is treating every auth request as an OpenID Connect request? Unless scope=openid is specified, you do not need to force the aud=client_id behavior. All Sessions seem to be represented internally as fosite openid.DefaultSessions. I don't think this impacts anything but was confusing to me as I was trying to use hydra's handlers and wanted to use JWT tokens but got an OpenID token instead.

@someone1
Copy link
Contributor

Depending on how issue #772 is implemented, this might be rolled up into those changes?

@aeneasr
Copy link
Member Author

aeneasr commented Mar 3, 2018

The session seems to persist the request.Form so maybe this can already be done with slight modification of the challenge session persistence?

Yes, that's the case indeed

If a request comes to the /oauth2/auth handler with an audience URL parameter (in addition to the client_id, state, redirect_uri, etc. like Auth0 does), then this can be persisted in the ConsentRequest and returned as part of the Session.

I'm not quite sure at the moment - is this specified in some spec somewhere? Auth0 is known to bake in some weird custom stuff in their system which is also why they had to basically deprecate all the old APIs.

Side note, it looks like hydra is treating every auth request as an OpenID Connect request? Unless scope=openid is specified, you do not need to force the aud=client_id behavior. All Sessions seem to be represented internally as fosite openid.DefaultSessions. I don't think this impacts anything but was confusing to me as I was trying to use hydra's handlers and wanted to use JWT tokens but got an OpenID token instead.

Kinda, we have handlers which "hook" in functionality based on request parameters. If openid is specified as a scope, an OpenID Connect handler will try to process the request.

Depending on how issue #772 is implemented, this might be rolled up into those changes?

Absolutely

@aeneasr aeneasr modified the milestones: 1.0.0, 1.0.0-alpha.1 Apr 19, 2018
@aeneasr aeneasr modified the milestones: 1.0.0-alpha.1, 1.0.0 May 25, 2018
@aeneasr aeneasr self-assigned this May 25, 2018
@aeneasr aeneasr mentioned this issue May 25, 2018
Closed
aeneasr pushed a commit that referenced this issue May 29, 2018
oauth2: Resolves various issues related to audience claims
e08f82c 
This patch resolves issues related to the ID and Access Token audience
claim:

* oauth2: Allow multiple audience claims on ID token - closes #790
* oauth2: Reintroduce audience claim - closes #687
@github-actions github-actions bot mentioned this issue Nov 2, 2022
Closed
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aeneasr aeneasr

Labels
feat New feature or request. package/consent package/oauth2
Projects
None yet
Milestone
v1.0.0
Development

No branches or pull requests
2 participants
@someone1 @aeneasr