ValidateAudience: No allowed audience for client

Schofield, Richie Richie.Schofield at
Wed Jun 8 19:36:37 UTC 2022

Awesome, that has unblocked me. Thank you very much for your help, Scott.
I’ve got one more thing that I need help with.

I’m getting this error below but I did exactly what was in the initial setup doc. I didn’t modify and I generated a new version of the jwk files.
Any idea of what I can do to troubleshoot this? (side note, marking encryption as optional allows me to complete the workflow)

2022-06-08 15:31:35,601 - - WARN [org.opensaml.xmlsec.impl.BasicEncryptionParametersResolver:243] - Validation failure: Failed to resolve an encryption key

From: Cantor, Scott <cantor.2 at>
Date: Tuesday, June 7, 2022 at 3:01 PM
To: Schofield, Richie <Richie.Schofield at>, Shib Users <users at>
Subject: Re: ValidateAudience: No allowed audience for client
NetApp Security WARNING: This is an external email. Do not click links or open attachments unless you recognize the sender and know the content is safe.

On 6/7/22, 2:46 PM, "Cantor, Scott" <cantor.2 at> wrote:

    >    I cannot, however, find examples of setting an audience using the oidc-client.json or in the
    > OAuthRPMetadataProfile doc.

I fixed the missing reference in the profile page. The Client Credentials docs mention the JSON claim:

"There is no standard metadata representation for allowed audience, so this is an extension. In the case of JSON metadata, a claim called “audience” is used, while in SAML format, the <saml:Audience> element is used."

I'll add some metadata examples to the page when I have more time.

-- Scott

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list