search

canonical / identity-platform-login-ui

Login UI for the Canonical identity broker and identity provider solution
Apache License 2.0
9 stars 6 forks source link

Add client_id to access token's aud #250

Closed nsklikas closed 3 days ago

nsklikas commented 5 days ago

IAM-909

Add client_id to access token's audience. Before the change, a jwt access token would be

eyJhbGciOiJSUzI1NiIsImtpZCI6ImIwN2JkYTU2LTMyMmYtNGQ0Yi1hOTFiLWRmZjFlZjhiNjMyNyIsInR5cCI6IkpXVCJ9.eyJhdWQiOltdLCJjbGllbnRfaWQiOiI0NmQ3MjExNC0zYmRmLTQ0ZTItYjEzZC04NmMyY2NjOWUzNzUiLCJleHAiOjE3MTk5MzAyMDAsImV4dCI6e30sImlhdCI6MTcxOTkyNjU5OSwiaXNzIjoiaHR0cDovL2h5ZHJhOjQ0NDQiLCJqdGkiOiI3NmQyYzM4ZC01YjVkLTQ1OTgtOTEwZS0zNjNjYmExYjZkNWUiLCJuYmYiOjE3MTk5MjY1OTksInNjcCI6WyJvcGVuaWQiLCJwcm9maWxlIiwiZW1haWwiLCJvZmZsaW5lX2FjY2VzcyJdLCJzdWIiOiJjNDZmMzc0Ny0yY2QxLTRjMzgtODE3OS01MTcwYmQ2NjJmOGUifQ.NfUjWsgYsaOIILWeY9jrZDPfXBl6AuMf4vf52f1nJzUc4pixPVjxSG1_GSnZYQcksNtEic5q3Is0cjU1HCpipRsdpp0bRk4I4FZGOCbF6R-ZCSk1DvBhnLCROHGpC0761sPSxshOQo3GsouiNetDXmhZy1t3RQSywm3teM1GdFhyQUCwPIx-txnOOHbMU8mHRuHvpCaaH9KmwdA3-jRIEtadpU_sxyREzLoM8gGXnpFmR5nE8GICT44B_RLX7SCnmyxtRcEOIGnmZCGWyyc6xtl-gWFwAYb8aalVdgcFKgMY6vZwIR0uMWPT7UsE7j_yWIM9nih1DIgHtDw7yAdNG8dQWRyzEGflKpGeIOUjpiYxXmoogp0ivsrnNqdJyS01wy6w1L-IgiQCu-YhohhbplRZiOOft2xM3rd6poR_xRH1SNE-gnPP19wt7bvEMhedpaIbf_8Mj1PxF_ERWCG32FUEQSb2OYzLiXlWCBtbbBl8CvZncIZjT3-STuR8X7Lo5iRYQ61WCzguf1CwPPalxXoi4qbPMZNvyn4IdyMQR5-F96uof2wER7ktN6p-sKRIVZqH7T7wRsqSYCU8wi_0MBc1WRFkZmITi7dSjk4xLCDfBVg463ljvFSEX7Jbac2Uc4eoknwH9e0YRbSE_UQjGV2n6CWo6Yaltb-LGu-Rpv8

The userinfo response: image

After the change, the access tokens are like:

eyJhbGciOiJSUzI1NiIsImtpZCI6ImIwN2JkYTU2LTMyMmYtNGQ0Yi1hOTFiLWRmZjFlZjhiNjMyNyIsInR5cCI6IkpXVCJ9.eyJhdWQiOlsiMGM1NTU1ZTQtMjcyNy00MGM2LTg4MDMtODg0NDBmMWVmMTZiIl0sImNsaWVudF9pZCI6IjBjNTU1NWU0LTI3MjctNDBjNi04ODAzLTg4NDQwZjFlZjE2YiIsImV4cCI6MTcxOTkzMDMyNywiZXh0Ijp7fSwiaWF0IjoxNzE5OTI2NzI2LCJpc3MiOiJodHRwOi8vaHlkcmE6NDQ0NCIsImp0aSI6ImFmYmE0MmM0LTcxNzEtNDdiOC1hMmZjLWVjYjAxNWQzMTI0NyIsIm5iZiI6MTcxOTkyNjcyNiwic2NwIjpbIm9wZW5pZCIsInByb2ZpbGUiLCJlbWFpbCIsIm9mZmxpbmVfYWNjZXNzIl0sInN1YiI6ImM0NmYzNzQ3LTJjZDEtNGMzOC04MTc5LTUxNzBiZDY2MmY4ZSJ9.nuH7gny98TfSKDIcNAg-I8H-sovqagj8nZPazsfTLZvfNQP39XxxzZgdN_3UM4270TYggLI2zFOJx-2gSjIhRzwSSbzQy2jRyd0aLGuX5ElrsAkIwjBq_nakyOGVUOK7hwW_dnuaPkZRcX2qNwmlK5GRXuHc4TBJ0KapK8zhJ9rGUwUQ3v9v7F29uAxdA_Zs2d51NxIEB93GOSvFV3B-F450QDi9cBuiOIMyudyp_VrcJ_WbbCuCIbhBV-Hqz20lum4HVtwcNsZQseOsg8mXTSWx0HzYS_Uj7EXyM-262-DQO9iOmckebLLz0AHcRYMC-H0iQyPPE57FgmhCSDW-c9959zdcOxCjh6V43KBT8Tgmh5dnLXRvUdXuOb5Z4YYM2N-U0XK_MJo4zRfcjgBR6JyAaIvaM65Fy0TCkiYXdQr6gS7dq_VhRUTVz4xHPCJQ8U8iczpuw4ex1_Asy9FnqN1Fx78Jf7mH-1JXqZCOWL-NP5rhPlxccPoUVNInWqlcYrawimLCMtRMDKtDQ9-xXfB8Q17pTVx_akHiFMJ3GTp96cZCbvJvSCKrKha3fWReb6hEGJoN0T2QbgfxHgwdhoDiGkYmX05NOglFfD4Fg0t6ejeI-dTmqz1roAP5AjiGBs4DbwuqC2fGO2KCo65NrbTJjUvKAfVHEBu7eertyvU

The userinfo resp: image

As you can see the client_id is automatically added to the AT aud and the userinfo remains the same. I thought about adding the client_id to the userinfo as well, but that would go against the purpose of the endpoint (the client_id is not connected to the user's information). IMO client's that would like the know the client_id that the token was issued for, should use the introspection endpoint.

shipperizer commented 5 days ago

IMO client's that would like the know the client_id that the token was issued for, should use the introspection endpoint.

no opinion of my own on that, would have to read around what's common practice, maybe @BarcoMasile can share his own experience here

overall looks good anyway

BarcoMasile commented 5 days ago

@nsklikas @shipperizer I agree, adding client_id info to the userinfo doesn't make sense and would be kind of a "misuse" of the userinfo endpoint. Having the audience is what's needed and with this PR we're good to go