-
Type:
Improvement
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 5.5.1
-
Fix Version/s: 7.0.0
-
Component/s: None
-
Labels:
-
Target Version/s:
-
Support Ticket IDs:
If OAuth clients uses JWT for authentication, then AM enforces audience validation on client JWT. By default this aud needs to be same as AM token endpoint such as:
{
"sub": "jwt-bearer-client",
"aud": [
"http://openam551.example.com:8585/sso/oauth2/realms/root/realms/employees/access_token"
],
"iss": "jwt-bearer-client",
"exp": 1523463867
}
In many deployments, AM is not directly exposed to OAuth clients. OAuth clients interact with a facade/wrapper/adaptor layer and this layer invokes AM internally. This means OAuth clients are not aware of actual AM URL such as:
http://openam551.example.com:8585/sso/oauth2/realms/root/realms/employees/access_token
In these cases, OAuth clients may pass something else(such as:http://facade.example.com/oauth) in JWT aud field:
{
"sub": "jwt-bearer-client",
"aud": [
"http://facade.example.com/oauth"
],
"iss": "jwt-bearer-client",
"exp": 1523464823
}
and AM returns below error:
{"error_description":"Invalid JWT audience","error":"invalid_request"}
Allowing aud configuration in AM OAuth client will allow customers to define their own aud URLs
- relates to
-
OPENAM-12898 DNS alias results in audience validation failure for clients authenticating using JWT
-
- Resolved
-
-
-
- Open
-