search

theGOTOguy / Oauth2-Mock-Server-Example

Example of getting auth tokens from the OAuth2 Mock server
MIT License
0 stars 0 forks source link

Audience claim is weird. #3

Open theGOTOguy opened 3 days ago

theGOTOguy commented 3 days ago

Note that when we run the test, we get the client_id as the audience claim in the JWT. This might be a bug in the OAuth server, or might just be us failing to understand something about how it works.

JWT:

{'sub': 'test@test.com', 'aud': 'your_client_id', 'nbf': 1731621126, 'azp': 'your_client_id', 'iss': 'http://localhost:8080/default', 'exp': 1731624726, 'iat': 1731621126, 'jti': '5c694363-a324-4c14-a20f-9e1089b01ff6', 'tid': 'default'}

On the other hand, when we got to the /userinfo endpoint, the audience claims to be default from the path. Weird.

 {'sub': 'test@test.com', 'aud': ['default'], 'nbf': 1731621126000, 'azp': 'your_client_id', 'iss': 'http://localhost:8080/default', 'exp': 1731624726000, 'iat': 1731621126000, 'jti': 'c30ce18e-5276-4872-84e3-44578c3295f7', 'tid': 'default'}

I would like to resolve this mystery. 1) Is it a bug in OAuth2 mock server? 2) Is this somehow expected behavior, and we are sending bad requests? How would I correctly specify audience? 3) Is this totally correct and expected, and the flaw is my own uinderstanding?

This will likely require some reading the server code / documents, reading an OAuth2 spec, or maybe just asking ChatGPT nicely.

cheapcouches commented 2 days ago

I've been able to narrow this issue down to us missing a config JSON file as described here. In short, we need to pre-define scopes and audiences for our token endpoints and feed the resulting JSON to our mock server.

I'm still figuring out the specifics on how exactly this works - I was able to get it to work on my first try, and then switching around variables broke it. I'm aiming to hopefully have an example uploaded tonight or tomorrow.

This should also fix #1.