ValidateAudience: No allowed audience for client

Schofield, Richie Richie.Schofield at
Mon Jun 6 20:45:10 UTC 2022

The ramp up to this has been quite rough… I have been catching up on domain knowledge for the past couple of weeks and there are still so many documents I haven’t seen yet.

My objective is to get a client credential grant workflow setup. I have a protected resource and want to authN/authZ scripts hosted on other machines access to this resource. I’ve used the SP ./ to create client metadata, loaded it into the idP and am trying to manually walk through the REST workflow to better understand.

The first endpoint, I assumed, is the /token like this:
POST https://<idp_hostname>/idp/profile/oidc/token

From: users <users-bounces at> on behalf of Cantor, Scott via users <users at>
Date: Monday, June 6, 2022 at 4:16 PM
To: Shib Users <users at>
Cc: Cantor, Scott <cantor.2 at>
Subject: Re: ValidateAudience: No allowed audience for client
NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

On 6/6/22, 4:12 PM, "users on behalf of Cantor, Scott via users" <users-bounces at on behalf of users at> wrote:

>    > Is there a way to, by default, add each SP on its own audience list?
>    It is, for OIDC.

Actually, let me correct that...the SP/RP is most definitely NOT the audience in the normal OIDC flow. The OP is the audience, the only intended use of the token is to access the UserInfo endpoint, and that's the OP's endpoint. So the RP is the client, not the audience, which is why it's not something that comes up unless you're doing "not OIDC" things or abusing OIDC in ways that we would not support.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list