ValidateAudience: No allowed audience for client
Cantor, Scott
cantor.2 at osu.edu
Mon Jun 6 21:10:44 UTC 2022
On 6/6/22, 4:45 PM, "Schofield, Richie" <Richie.Schofield at netapp.com> wrote:
> My objective is to get a client credential grant workflow setup.
Ok. First time anybody is trying it AFAIK.
Again, the RP is not the audience. The audience is the resource server(s) you're getting a token for, and you have to generally register an "audience" claim in the JSON metadata (or via SAML metadata) to control the audiences that an RP can request a token for.
> I have a protected resource and want to authN/authZ scripts hosted on other machines access to this
> resource. I’ve used the SP ./metagen.sh to create client metadata
The metadata needed for this is very different SAML metadata than what that script was built to generate.
> The first endpoint, I assumed, is the /token like this:
Yes, basically. The resource parameter is the audience and needs to be authorized for that client, by putting <Audience> elements into the SAML metadata if that's the metadata format you want to use.
Alternatively it's possible to implement a Java function or script to just brute force the check but the default is to put it in the metadata, as the documentation outlines.
-- Scott
More information about the users
mailing list