I'm using flask-oidc 1.4.0 on a resource server, and I have the following config settings set:
app.config.update({
'SECRET_KEY': 'not a very secret key',
'TESTING': True,
'DEBUG': True,
'OIDC_CLIENT_SECRETS': 'client_secrets.json',
'OIDC_RESOURCE_SERVER_ONLY': True,
'OIDC_RESOURCE_CHECK_AUD': True,
})
I expected my application to always verify that the "aud" parameter contained my client id, but it seems this check only happens if "aud" is actually present in the access token. If there is no "aud" field, the check does not seem to happen (and the request is allowed)?!
Is this the expected behavior? I was expecting the request would be rejected if "aud" was not present in the access token (similar to an invalid value).
Hi,
I'm using flask-oidc 1.4.0 on a resource server, and I have the following config settings set:
I expected my application to always verify that the "aud" parameter contained my client id, but it seems this check only happens if "aud" is actually present in the access token. If there is no "aud" field, the check does not seem to happen (and the request is allowed)?!
Is this the expected behavior? I was expecting the request would be rejected if "aud" was not present in the access token (similar to an invalid value).
Regards, Rik