Issue with validating Audience during Dynamic Client Registration

[arvindk25]

@ttranatping

There seems to be some issue validating DCR 'aud' value against the expected 'audiences' in DCR Policy with below setup:

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Testing Postman Collection part of "manual-deploy"

CDR Integration Kit: 1.4.0 (pf-cdr-au-modules-1.4.0.jar)

Dynamic Client Reg Policy Params:

• PingFederate Base URL: https://pingfederate:9031
• Host Header: X-FORWARDED-FOR
• Audience: https://sso.data-holder.local,https://sso.data-holder.local:3000

PF Server Settings:

• Base URL: https://pingfederate:9031 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

When providing value aud=https://pingfederate:9031 during Dynamic Client Registration

Rejected due to invalid claims or other invalid content. Additional details: [[8] Audience (aud) claim [https://pingfederate:9031] doesn't contain an acceptable identifier. Expected one of [https://sso.data-holder.local, https://sso.data-holder.local:3000] as an aud value.]

When providing value aud=https://sso.data-holder.local during Dynamic Client Registration

ERROR [com.pingidentity.ps.cdr.pf.clientregistration.CDRAUPlugin] Invalid audience: https://sso.data-holder.local, Expected: https://pingfederate:9031

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

[ttranatping]

Can you please provide your CURL command (or equivalent)?

You should be calling the DCR endpoint with https://sso.data-holder.local as the base URL. That's how the solution is configured (to be called via PingAccess).

[arvindk25]

@ttranatping we should be able to call the DCR endpoint without PingAccess as well, it should process the 'aud' validation basis the list of 'audiences' in the DCR Policy, seems some issue in validation logic under com.pingidentity.ps.cdr.pf.clientregistration.CDRAUPlugin

here is the cURL where we replaced sso.data-holder.local with pingfederate:9031 at the DCR step of Consent Postman collection (S001.T001.007 - Call Pingfederate DCR POST)

curl --location 'https://pingfederate:9031/as/clients.oauth2' \ --header 'Content-Type: application/jwt' \ --header 'X-Certificate;' \ --data '{{software-dcr-requestjwt}}

[ttranatping]

You can configure it to work with https://pingfederate:9031, but it may not be compliant with CDR and won’t be cohesive with the rest of the solution. The CDR IK requires PingAccess in front of PingFederate to deal with some of the nuances of CDR, and it’s important to maintain consistency when setting expected issuers/audiences throughout the solution. We cannot guarantee it to work (and expect it not to) if you circumvent it.

if you wish to continue using DCR using https://pingfederate:9031, then you will need to

• configure the expected audiences in the CDR client registration policy to include https://pingfederate:9031 (the expected audience list you provided does not have it),
• set the DCR request audience to https://pingfederate:9031, and
• call the DCR endpoint using base url https://pingfederate:9031

this is going against our advice and we won’t be able to support you from here. I will close the comments and please proceed through Ping support if you wish to take the matter further.