Closed absowoot closed 1 year ago
danschultzer
commented
1 year ago Unfortunately, no support for this in Assent, but it definitely should be supported. I'm reading through the specs to understand well how it should be handled and will push a PR to fix it. Thanks for your patience!
danschultzer
commented
1 year ago You can try out #113. I believe it follows correctly the rules in https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation, point 3, 4, and 5. I'll review later to make sure I got it right. You'll have to configure the list trusted audiences as the specs requires.
Reading the netsuite docs I'm confused what it's meant with comma separated list. From the specs it sounds like it should just be a list, not a comma separated string. Let me know if it works for you.
absowoot
commented
1 year ago Thank you for the update! I have tried #113 but now I am receiving an error about a missing azp -- it appears that Netsuite does not provide that.
When I remove references to azp (lines 344, 346, 350) I am able to successfully log in.
As for the comma-separated list of audiences, your implementation works as expected. For reference, here is what Netsuite returns:
[
{"at_hash", "..."},
{"aud", ["########-####-####-####-############;CLIENT_ID", "AUDIENCE"]},
{"email", "..."},
{"email_verified", false},
{"exp", 1677088887},
{"iat", 1677078087},
{"iss", "https://system.netsuite.com"},
{"jti", "CLIENT_ID.i-a.########-####-####-####-############_#############.#"},
{"nonce", "05mTnGHTHzksKoiGF7DK1w"},
{"scope", ["email", "openid"]},
{"sub", "3;73799"}
]Thanks! Didn't read it carefully the day before yesterday, but azp is just a recommendation. It's only required to validate if it exists in the token. I've updated the PR, and will get it merged and released once I fix an upstream issue I'm experiencing with the CI.
absowoot
commented
1 year ago The update works perfectly, thanks!
Hello! I'm pretty new to Elixir so forgive me if this has an easy answer. I'm creating a custom OIDC provider (Netsuite) that issues 2 audiences in a list, one of which is the client ID.
In the oidc.ex, audience validation simply matches what's returned in the claim with the client_id but unfortunately this always produces the "Invalid audience" error.
How would I go about filtering the data so that I could either remove the other audience or add it to what's being matched? I'm trying to follow along with the Apple OIDC provider but can't quite make sense of it.