ValidateAudience: No allowed audience for client
Schofield, Richie
Richie.Schofield at netapp.com
Tue Jun 7 18:30:31 UTC 2022
I am understanding more clearly now. I can see examples of the SAML metadata specifying an audience in the test suites:
idp-oidc-extension-impl/src/test/resources/net/shibboleth/idp/oidc/metadata/impl/EntityDescriptor-with-oidcmd-clientsecret.xml
I cannot, however, find examples of setting an audience using the oidc-client.json or in the OAuthRPMetadataProfile doc. Is this the place I should be looking? If so, is there a document I can reference with how to set the audience details?
From: Cantor, Scott <cantor.2 at osu.edu>
Date: Monday, June 6, 2022 at 5:10 PM
To: Schofield, Richie <Richie.Schofield at netapp.com>, Shib Users <users at shibboleth.net>
Subject: Re: ValidateAudience: No allowed audience for client
NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.
On 6/6/22, 4:45 PM, "Schofield, Richie" <Richie.Schofield at netapp.com> wrote:
> My objective is to get a client credential grant workflow setup.
Ok. First time anybody is trying it AFAIK.
Again, the RP is not the audience. The audience is the resource server(s) you're getting a token for, and you have to generally register an "audience" claim in the JSON metadata (or via SAML metadata) to control the audiences that an RP can request a token for.
> I have a protected resource and want to authN/authZ scripts hosted on other machines access to this
> resource. I’ve used the SP ./metagen.sh to create client metadata
The metadata needed for this is very different SAML metadata than what that script was built to generate.
> The first endpoint, I assumed, is the /token like this:
Yes, basically. The resource parameter is the audience and needs to be authorized for that client, by putting <Audience> elements into the SAML metadata if that's the metadata format you want to use.
Alternatively it's possible to implement a Java function or script to just brute force the check but the default is to put it in the metadata, as the documentation outlines.
-- Scott
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220607/4fd6fbab/attachment.htm>
More information about the users
mailing list