Require aud claim on OpenID Connect UserInfo endpoint
Description
With the introduction of third-party applications and OAuth scope handling policies it is necessary for FusionAuth to identify the application a token was issued for in order to customize the response from the /oauth2/userinfo endpoint.
Solution
FusionAuth's /oauth2/userinfo endpoint requires the aud (audience) claim on tokens used to make a request to the endpoint.
The endpoint is part of the OpenID Connect specification, which provides an identity layer on top of OAuth 2.0. All tokens (JWTs) issued by FusionAuth via OAuth 2.0 workflows include the aud claim.
Additional context
Tokens issued by FusionAuth outside of OAuth workflows may not include the aud claim. If the integration is such that using OAuth workflows are not an option, there are other options:
Use a combination of the /api/jwt/validate endpoint and /api/user to get identity information about the user
Add the aud claim to the tokens
Include the aud claim on the request to generate the token
Require
aud
claim on OpenID Connect UserInfo endpointDescription
With the introduction of third-party applications and OAuth scope handling policies it is necessary for FusionAuth to identify the application a token was issued for in order to customize the response from the
/oauth2/userinfo
endpoint.Solution
FusionAuth's
/oauth2/userinfo
endpoint requires theaud
(audience) claim on tokens used to make a request to the endpoint.The endpoint is part of the OpenID Connect specification, which provides an identity layer on top of OAuth 2.0. All tokens (JWTs) issued by FusionAuth via OAuth 2.0 workflows include the
aud
claim.Additional context
Tokens issued by FusionAuth outside of OAuth workflows may not include the
aud
claim. If the integration is such that using OAuth workflows are not an option, there are other options:/api/jwt/validate
endpoint and/api/user
to get identity information about the useraud
claim to the tokensaud
claim on the request to generate the tokenaud
claim via a lambda