ValidateAudience: No allowed audience for client
Schofield, Richie
Richie.Schofield at netapp.com
Mon Jun 6 20:45:10 UTC 2022
The ramp up to this has been quite rough… I have been catching up on domain knowledge for the past couple of weeks and there are still so many documents I haven’t seen yet.
My objective is to get a client credential grant workflow setup. I have a protected resource and want to authN/authZ scripts hosted on other machines access to this resource. I’ve used the SP ./metagen.sh to create client metadata, loaded it into the idP and am trying to manually walk through the REST workflow to better understand.
The first endpoint, I assumed, is the /token like this:
POST https://<idp_hostname>/idp/profile/oidc/token
?client_id=<resource_server>
&grant_type=client_credentials
&scope=openid
&resource<resource_server>
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott via users <users at shibboleth.net>
Date: Monday, June 6, 2022 at 4:16 PM
To: Shib Users <users at shibboleth.net>
Cc: Cantor, Scott <cantor.2 at osu.edu>
Subject: Re: ValidateAudience: No allowed audience for client
NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 6/6/22, 4:12 PM, "users on behalf of Cantor, Scott via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:
> > Is there a way to, by default, add each SP on its own audience list?
> It is, for OIDC.
Actually, let me correct that...the SP/RP is most definitely NOT the audience in the normal OIDC flow. The OP is the audience, the only intended use of the token is to access the UserInfo endpoint, and that's the OP's endpoint. So the RP is the client, not the audience, which is why it's not something that comes up unless you're doing "not OIDC" things or abusing OIDC in ways that we would not support.
-- Scott
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220606/ba2de11b/attachment.htm>
More information about the users
mailing list