Open architeacher opened 1 year ago
Still an issue.
Found that the client ID is hard-coded for the ID token claims here: https://github.com/ory/hydra/blob/017ebae6e65a773f89d4f4d635e8694f83900f09/oauth2/handler.go#L1120
Regardless of correctly specifying the requested audience and the audience being allow-listed. https://github.com/ory/hydra/blob/017ebae6e65a773f89d4f4d635e8694f83900f09/oauth2/handler.go#L1076
Ironically it seems like fosite then appends the client ID again and deduplicates it: https://github.com/ory/fosite/blob/5e039ca9eef18ba5317f62760e111214bf93945f/handler/openid/strategy_jwt.go#L228
Note that it only applies for the ID token. When using:
strategies:
access_token: jwt
The access token will set the requested audience(s).
Preflight checklist
Describe the bug
Hydra doesn't handle custom audience param in /oauth2/auth request. Only the default audience is present in ID Token by default which is the client name.
Reproducing the bug
Steps to reproduce the behavior:
https://foo.bar.buz
.audience
parameter value to be set tohttps%3A%2F%2Ffoo.bar.buz
, so the link should be like:http://127.0.0.1:4444/oauth2/auth?audience=https%3A%2F%2Ffoo.bar.buz&client_id=auth-code-client&max_age=0&nonce=wdhoiprayklzkvzatwowmzsp&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=jojcywqutzgnoqwbramhkjza
Expected Result
What is the expected behavior? Hydra should handle the audience param in /oauth2/auth request and then create an ID Token that contains a custom audience only those that were requested, and if not exist it can fall back to the current value.
Relevant log output
No response
Relevant configuration
No response
Version
v1.11.10
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
Docker Compose
Additional Context
No response