Shibboleth IDP for OAuth2

Ritterhoff, Florian ritterhoff.florian at
Tue Aug 9 14:42:13 UTC 2022

Hi together,


I’m currently playing around with the new OIDC Plugin. As far as I have seen there are several options to utilize/enable some OAuth2 functionality and “trigger” the generation of an JWT encoded access_token. Sadly until now I did not manage to figure out how to configure a OAuth2 Client that is able to receive an access_token that I can pass to an resource server. 

In detail I have two questions:

1.	In case I add the (incorrect) openid scope to the client configuration a access_token for the idp is generated, in case I add an “artificial” scope (e.g. foo) to the config the login/generation of the access_token fails.


        "scope": "foo",

        "redirect_uris": [

             <http://localhost:3000/oidc-callback> http://localhost:3000/oidc-callback


        "client_id": "portal-frontend-dev",

        "subject_type": "public",

        "token_endpoint_auth_method": "none",

        "response_types": [



        "grant_types": [





According to the log the error is that no further audience is allowed. (Profile Action ValidateAudience: No allowed audience for client portal-frontend-dev) How can I configure one? 😉  

2.	Is there an option/example how to extend the access_token so I can include further claims like the email, firstname or affiliation? I stumbled over the accessTokenClaimsSetManipulationStrategy but did not figure out if that is possible at all? 



Florian Ritterhoff

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7162 bytes
Desc: not available
URL: <>

More information about the users mailing list