search

ory / hydra

The most scalable and customizable OpenID Certified™ OpenID Connect and OAuth Provider on the market. Become an OpenID Connect and OAuth2 Provider over night. Broad support for related RFCs. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
15.63k stars 1.5k forks source link

Audience is not set on access tokens #1405

Closed MDrollette closed 5 years ago

MDrollette commented 5 years ago

Describe the bug

aud is not set on access tokens. ~I am using JWT access token strategy. I haven't tried with other strategies.~ I've tried with jwt and opaque token strategies.

To Reproduce Steps to reproduce the behavior:

  1. Create a client with an --audience=https://foo
  2. Request an access token including ?audience=https://foo in the request
  3. Introspect the access token and aud will have a value of null

Expected behavior The access token audience should match the requested audience or possibly even all of the audiences listed on the client if none were specifically requested (?)

Version:

Additional context

created the client:

hydra --endpoint http://localhost:4445 clients create --id cli \
    --grant-types authorization_code,refresh_token \
    --scope openid,offline \
    --token-endpoint-auth-method none \
    --callbacks http://localhost:7939/callback \
    --audience http://foo \
    -n "CLI Tool"

navigate to: GET /oauth2/auth?access_type=offline&audience=http%3A%2F%2Ffoo&client_id=cli&redirect_uri=http%3A%2F%2Flocalhost%3A7939%2Fcallback&response_type=code&scope=openid+offline&state=...

received a token and introspected it:

$ hydra --endpoint http://localhost:4445 token introspect opaquetoken
{
  "active": true,
  "aud": null,
  ...
}
aeneasr commented 5 years ago

Did you verify the audience in the login app?

aeneasr commented 5 years ago

https://github.com/ory/hydra-login-consent-node/blob/master/routes/consent.js#L32

MDrollette commented 5 years ago

nope! I didn't realize that was required. I guess I assumed hydra would automatically grant it if they asked for it and it exists on the client. I'll try now 👍

aeneasr commented 5 years ago

The audience can mean something like a resource (e.g. a repository or org (on GitHub)) so user consent is important, unless your model looks different in which case you'll simply auto-accept it.

MDrollette commented 5 years ago

That makes sense. My first-party app is the only client (for now) so I was making a lot of assumptions.

Confirmed it works as expected with grant_access_token_audience set

wesleyfantinel commented 5 years ago

@aeneasr There is a way to retrieve the grant_access_token_audience that @MDrollette mentioned, at OauthKeeper?

The definition that I'm talking about is this.

We can retrieve the Subject and Extra parameters, but not the Audience directly. When using authorization_code, we can set the Extra parameters, to ensure that the audience is present there. But when using client_credentials, the audience is ben set as well, but it is not being set in the session.

I use the Oauthkeeper mutator type "header", to provide the audience value for my resource servers. Current, with authorization_code, I can't achieve this.

Pilipets commented 1 year ago

What should we do for client_credentials in order to receive the audience, hm? https://github.com/ory/hydra/issues/3441