Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-12886

Allow configurable audience for clients authenticating using JWT

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.5.1
    • Fix Version/s: 7.0.0
    • Component/s: None
    • Labels:
    • Target Version/s:
    • Support Ticket IDs:

      Description

      If OAuth clients uses JWT for authentication, then AM enforces audience validation on client JWT. By default this aud needs to be same as AM token endpoint such as:

      {
      "sub": "jwt-bearer-client",
      "aud": [
      "http://openam551.example.com:8585/sso/oauth2/realms/root/realms/employees/access_token"
      ],
      "iss": "jwt-bearer-client",
      "exp": 1523463867
      }
      

       

      In many deployments, AM is not directly exposed to OAuth clients. OAuth clients interact with a facade/wrapper/adaptor layer and this layer invokes AM internally. This means OAuth clients are not aware of actual AM URL such as: 

      http://openam551.example.com:8585/sso/oauth2/realms/root/realms/employees/access_token

       

      In these cases, OAuth clients may pass something else(such as:http://facade.example.com/oauth) in JWT aud field:

      {
      "sub": "jwt-bearer-client",
      "aud": [
      "http://facade.example.com/oauth"
      ],
      "iss": "jwt-bearer-client",
      "exp": 1523464823
      }

      and AM returns below error: 

      {"error_description":"Invalid JWT audience","error":"invalid_request"}
      

       

       Allowing aud configuration in AM OAuth client will allow customers to define their own aud URLs

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                phillcunnington Phill Cunnington
                Reporter:
                charan.mann Charan Mann
              • Votes:
                1 Vote for this issue
                Watchers:
                15 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: