ValidateAudience: No allowed audience for client

Cantor, Scott cantor.2 at
Tue Jun 7 18:46:13 UTC 2022

On 6/7/22, 2:30 PM, "Schofield, Richie" <Richie.Schofield at> wrote:

>    I am understanding more clearly now. I can see examples of the SAML metadata specifying an audience in
> the test suites:

There should be an example in the documentation, but I'd have to check.

>    I cannot, however, find examples of setting an audience using the oidc-client.json or in the
> OAuthRPMetadataProfile doc.

If it's not in the latter, it's an oversight, I'll have to review the documentation. The JSON approach is just an "audience" claim, same as any other claim, the docs should be saying that. I didn't use "aud" because while it's a match, I didn't want to accidentally overlap with anything they might eventually profile. Granted, "audience" isn't unique either, but I'm not the one who thinks using strings is a safe approach. Broken to start with.

-- Scott

More information about the users mailing list