-
-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion: Allow audience validation against collection of valid audiences #82
Comments
Hi @serioga This feature has existed since at least version 2.0.0. The documentation doesn't state it explicitly, but both So maybe the issue should be about updating the documentation to reflect the code behavior 😃 |
Sorry, my bad. I read the code wrong 😞 The code allows for a collection of audiences in the token itself, not in the verification claims. The original issue still stands. |
Why would you want multiple audiences at the point of verification? The way i see it, you might need multiple audiences at the point of issuing (i.e. producer/issuer supports multiple consumers/audiences), but the service that verifies is the audience, right? So that service just needs to be one of the issuer audiences. The code looks fine to me regarding that, unless I'm missing something big... The documentation improvement definitely stands though 👍 In other words, assuming two {:generate {:issuer "com.foo.auth" ;; single issuer (identification)
:audiences ["foo-auth-service"] ;; can address multiple audiences
:ttl-max-hours 3} ;; max-age (allows clients to ask for custom exp)
:verify {:issuers ["com.foo.auth"] ;; can verify against multiple issuers
:audience "foo-auth-service" ;; single consumer (identification)
:leeway 15}} |
It depends on whether you are thinking about OAuth2 or OpenID Connect (our use case). In the former, where the JWT is an access token, the service that verifies the token is the audience. But in the latter, it may not be (and in our case, it is not). Because in OpenID Connect you also use have JWT tokens for Authentication (when using ID Tokens). And in that case, multiple different Relaying Parties[1] may use the same OpenID Provider [2]. This is exactly our case. We have three Relaying Parties: a mobile app, embedded hardware and a single page application. We have them as three separate Relaying Parties because we want to restrict the allowed authentication and authorization flows depending on the type of client. E.g., embedded devices can't use Authorization Code flow, only implicit flow. But we don't want to enable implicit flow in the other two cases. So we have three relaying parties, each with its own But all of them use their ID and Access tokens with the same REST service. So we need to be able to validate ID and Access tokens with three different [1] OAuth 2.0 Client application requiring End-User Authentication and Claims from an OpenID Provider, from https://openid.net/specs/openid-connect-core-1_0.html#Terminology |
I suggest to improve validation for
aud
so that we can use collection for “valid audience” but not a single value only.buddy-sign/src/buddy/sign/jwt.clj
Lines 27 to 28 in 2009c4d
The text was updated successfully, but these errors were encountered: