ValidateAudience: No allowed audience for client

Schofield, Richie Richie.Schofield at
Tue Jun 7 18:30:31 UTC 2022

I am understanding more clearly now. I can see examples of the SAML metadata specifying an audience in the test suites:

I cannot, however, find examples of setting an audience using the oidc-client.json or in the OAuthRPMetadataProfile doc. Is this the place I should be looking? If so, is there a document I can reference with how to set the audience details?

From: Cantor, Scott <cantor.2 at>
Date: Monday, June 6, 2022 at 5:10 PM
To: Schofield, Richie <Richie.Schofield at>, Shib Users <users at>
Subject: Re: ValidateAudience: No allowed audience for client
NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

On 6/6/22, 4:45 PM, "Schofield, Richie" <Richie.Schofield at> wrote:

>    My objective is to get a client credential grant workflow setup.

Ok. First time anybody is trying it AFAIK.

Again, the RP is not the audience. The audience is the resource server(s) you're getting a token for, and you have to generally register an "audience" claim in the JSON metadata (or via SAML metadata) to control the audiences that an RP can request a token for.

> I have a protected resource and want to authN/authZ scripts hosted on other machines access to this
> resource. I’ve used the SP ./ to create client metadata

The metadata needed for this is very different SAML metadata than what that script was built to generate.

>    The first endpoint, I assumed, is the /token like this:

Yes, basically. The resource parameter is the audience and needs to be authorized for that client, by putting <Audience> elements into the SAML metadata if that's the metadata format you want to use.

Alternatively it's possible to implement a Java function or script to just brute force the check but the default is to put it in the metadata, as the documentation outlines.

-- Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list