ValidateAudience: No allowed audience for client

Cantor, Scott cantor.2 at
Mon Jun 6 20:12:20 UTC 2022

On 6/6/22, 2:50 PM, "users on behalf of Schofield, Richie via users" <users-bounces at on behalf of users at> wrote:

>    Hello, New to Shibboleth idP, OIDC and Outh.

Shibboleth is, to say the least, a software design that assumes substantial knowledge of what you want to do with it because its learning curve in its own right is extremely high. Domain knowledge is a definite assumption.

>   When attempting to get a token from /idp/profile/oidc/token it is telling me that there are ‘no allowed
> audience’ for my client. I’ve trolled source code for hours looking for answers and I think I am missing
> something.

What are you trying to get a token for and how? OIDC is browser-based, you start on the front-channel, and the RP is the one fetching the token (and the audience stuff is all implicit in that and doesn't break like that).

OAuth is a different matter, and that error comes into play when you're talking about something like the client_credentials grant type, which there is dedicated documentation around, including how to deal with audience. In short, the client metadata contains an extension that authorizes audiences to allow, at least as a primary mechanism.

> Is there a way to, by default, add each SP on its own audience list?

It is, for OIDC. The audience is implicit in that case in the normal modes of use. You don't get that error in such a case.

-- Scott

More information about the users mailing list