Support for audience - Githubissues

4integration commented 3 months ago

I cannot find support for specifying audience or am I missing something? Do you have plans to include audience

Regards Joacim

jaredhanson commented 3 months ago

The audience is checked against the clientID: https://github.com/jaredhanson/passport-openidconnect/blob/master/lib/strategy.js#L173-L179

Let me know if you had something else in mind.

4integration commented 3 months ago

Hi @jaredhanson

Maybe it depends between different OIDC IdP's but the one we use; Curity (OpenId Certified); has the capability to define 0..n audience(s) and if zero audience it defaults to clientID

So think it would be good if passport-openidconnect could have an optional audience configuration that is also validated together with clientID

Like:

passport.use(new OpenIDConnectStrategy({
  issuer: `${baseUri}/token/internal/anonymous`,
  clientID: process.env.OIDC_CLIENT_ID,
  clientSecret: process.env.OIDC_CLIENT_SECRET,
  authorizationURL: `${baseUri}/token/internal/authorize`,
  userInfoURL: `${baseUri}/token/internal/userinfo`,
  tokenURL: `${baseUri}/token/internal/token`,
  callbackURL: process.env.OIDC_REDIRECT_URI,
  passReqToCallback: true,
  scope: "openid groups profile",
  audience: "urn:myorg:myapp" // <<<<<<<<<<<<<<<<<<<<<<<
},
function(req, issuer, userId, profile, accessToken, refreshToken, params, cb) {
  req.session.accessToken = accessToken;
  req.session.idToken = params['id_token'];
  return cb(null, profile);
}));

jaredhanson commented 3 months ago

Can you give me more details or pointers to documentation that would describe how this option would be used? I don't want to introduce and support options that have unclear semantics.

jaredhanson / passport-openidconnect

Support for audience #111