ValidateAudience: No allowed audience for client
Cantor, Scott
cantor.2 at osu.edu
Mon Jun 6 20:16:02 UTC 2022
On 6/6/22, 4:12 PM, "users on behalf of Cantor, Scott via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
> > Is there a way to, by default, add each SP on its own audience list?
> It is, for OIDC.
Actually, let me correct that...the SP/RP is most definitely NOT the audience in the normal OIDC flow. The OP is the audience, the only intended use of the token is to access the UserInfo endpoint, and that's the OP's endpoint. So the RP is the client, not the audience, which is why it's not something that comes up unless you're doing "not OIDC" things or abusing OIDC in ways that we would not support.
-- Scott
More information about the users
mailing list