Closed 4integration closed 3 months ago
The audience is checked against the clientID
: https://github.com/jaredhanson/passport-openidconnect/blob/master/lib/strategy.js#L173-L179
Let me know if you had something else in mind.
Hi @jaredhanson
Maybe it depends between different OIDC IdP's but the one we use; Curity (OpenId Certified); has the capability to define 0..n audience(s)
and if zero audience
it defaults to clientID
So think it would be good if passport-openidconnect
could have an optional audience
configuration that is also validated together with clientID
Like:
passport.use(new OpenIDConnectStrategy({
issuer: `${baseUri}/token/internal/anonymous`,
clientID: process.env.OIDC_CLIENT_ID,
clientSecret: process.env.OIDC_CLIENT_SECRET,
authorizationURL: `${baseUri}/token/internal/authorize`,
userInfoURL: `${baseUri}/token/internal/userinfo`,
tokenURL: `${baseUri}/token/internal/token`,
callbackURL: process.env.OIDC_REDIRECT_URI,
passReqToCallback: true,
scope: "openid groups profile",
audience: "urn:myorg:myapp" // <<<<<<<<<<<<<<<<<<<<<<<
},
function(req, issuer, userId, profile, accessToken, refreshToken, params, cb) {
req.session.accessToken = accessToken;
req.session.idToken = params['id_token'];
return cb(null, profile);
}));
Can you give me more details or pointers to documentation that would describe how this option would be used? I don't want to introduce and support options that have unclear semantics.
I cannot find support for specifying
audience
or am I missing something? Do you have plans to includeaudience
Regards Joacim