Closed 4integration closed 7 months ago
Describe the bug Audience matching doesn't work as intended
This rule https://github.com/panva/node-openid-client/blob/219f956cb74986439f2d41fc3cfe6fd400c38eca/lib/client.js#L1006-L1011 only matches against client_id but if audience is specified on the client and IdP is configured with that it should validate OK with that also. If no specified audience then client_id is used as default.
client_id
audience
To Reproduce Issuer and Client configuration: (inline or gist) - Don't forget to redact your secrets.
Issuer.discover('http://localhost:48118/token/internal/anonymous/.well-known/openid-configuration') .then(criiptoIssuer => { var client = new criiptoIssuer.Client({ client_id: '2fa-client-test', client_secret: '2fa-client-test', redirect_uris: ['http://localhost:3000/auth/callback'], }); app.use( expressSesssion({ secret: 'keyboard cat', resave: false, saveUninitialized: true }) ); app.use(passport.initialize()); app.use(passport.session()); passport.use('oidc', new Strategy({ client, params: { scope: "openid groups profile", audience: "urn:myorg:camper", } }, (tokenSet, userinfo, done) => { return done(null, tokenSet.claims()); }) ); });
Getting this error: {"message":"Auth failed: aud mismatch, expected 2fa-client-test, got: urn:myorg:camper"}
{"message":"Auth failed: aud mismatch, expected 2fa-client-test, got: urn:myorg:camper"}
Expected behaviour See description above
Environment:
It works exactly as expected. audience is a proprietary parameter of some providers and if it affects the final shape of an ID Token I suggest you use the provider's SDKs to connect to them instead.
Describe the bug Audience matching doesn't work as intended
This rule https://github.com/panva/node-openid-client/blob/219f956cb74986439f2d41fc3cfe6fd400c38eca/lib/client.js#L1006-L1011 only matches against
client_id
but ifaudience
is specified on the client and IdP is configured with that it should validate OK with that also. If no specifiedaudience
thenclient_id
is used as default.To Reproduce Issuer and Client configuration: (inline or gist) - Don't forget to redact your secrets.
Getting this error:
{"message":"Auth failed: aud mismatch, expected 2fa-client-test, got: urn:myorg:camper"}
Expected behaviour See description above
Environment: