Shibboleth IDP for OAuth2

Florian Ritterhoff ritterhoff.florian at
Fri Aug 12 18:11:03 UTC 2022

Well generating a new access_token itself is no problem. The "problem" 
occures in case of the desired "OAuth2-access-token" containing 
additional claims and the extra audience. until now I haven't found any 
working configuration.

Adding a resource query to the /token endpoint in combination with the 
refresh_token only produces the log message

Profile Action ValidateAudience: Omitting requested but previously 
ungranted audience https://api.****** for RP portal-frontend-dev

Obviously that seems to fail. Should that work (maybe even without the 


Florian Ritterhoff

Am 12.08.2022 um 20:06 schrieb Cantor, Scott via users:
>> That works fine so far. The only thing I stumbled over is using
>>     refresh_tokens. Is there an option/way to create a fresh access_token
>>   using a generated refresh_token?
> Yes, that's all supported.
> -- Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4816 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the users mailing list