ValidateAudience: No allowed audience for client

Cantor, Scott cantor.2 at
Mon Jun 6 20:16:02 UTC 2022

On 6/6/22, 4:12 PM, "users on behalf of Cantor, Scott via users" <users-bounces at on behalf of users at> wrote:

>    > Is there a way to, by default, add each SP on its own audience list?
>    It is, for OIDC.

Actually, let me correct that...the SP/RP is most definitely NOT the audience in the normal OIDC flow. The OP is the audience, the only intended use of the token is to access the UserInfo endpoint, and that's the OP's endpoint. So the RP is the client, not the audience, which is why it's not something that comes up unless you're doing "not OIDC" things or abusing OIDC in ways that we would not support.

-- Scott

More information about the users mailing list