ValidateAudience: No allowed audience for client

Cantor, Scott cantor.2 at
Mon Jun 6 21:10:44 UTC 2022

On 6/6/22, 4:45 PM, "Schofield, Richie" <Richie.Schofield at> wrote:

>    My objective is to get a client credential grant workflow setup.

Ok. First time anybody is trying it AFAIK.

Again, the RP is not the audience. The audience is the resource server(s) you're getting a token for, and you have to generally register an "audience" claim in the JSON metadata (or via SAML metadata) to control the audiences that an RP can request a token for.

> I have a protected resource and want to authN/authZ scripts hosted on other machines access to this
> resource. I’ve used the SP ./ to create client metadata

The metadata needed for this is very different SAML metadata than what that script was built to generate.

>    The first endpoint, I assumed, is the /token like this:

Yes, basically. The resource parameter is the audience and needs to be authorized for that client, by putting <Audience> elements into the SAML metadata if that's the metadata format you want to use.

Alternatively it's possible to implement a Java function or script to just brute force the check but the default is to put it in the metadata, as the documentation outlines.

-- Scott

More information about the users mailing list