search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

Require `aud` claim on OpenID Connect UserInfo endpoint #2725

Closed spwitt closed 2 months ago

spwitt commented 2 months ago

Require aud claim on OpenID Connect UserInfo endpoint

Description

With the introduction of third-party applications and OAuth scope handling policies it is necessary for FusionAuth to identify the application a token was issued for in order to customize the response from the /oauth2/userinfo endpoint.

Solution

FusionAuth's /oauth2/userinfo endpoint requires the aud (audience) claim on tokens used to make a request to the endpoint.

The endpoint is part of the OpenID Connect specification, which provides an identity layer on top of OAuth 2.0. All tokens (JWTs) issued by FusionAuth via OAuth 2.0 workflows include the aud claim.

Additional context

Tokens issued by FusionAuth outside of OAuth workflows may not include the aud claim. If the integration is such that using OAuth workflows are not an option, there are other options:

  1. Use a combination of the /api/jwt/validate endpoint and /api/user to get identity information about the user
  2. Add the aud claim to the tokens
    1. Include the aud claim on the request to generate the token
    2. Add the aud claim via a lambda
spwitt commented 2 months ago

Internal

spwitt commented 2 months ago

Shipping in 1.50.0