Replies: 2 comments 1 reply
-
Hello, In our current implementation the As suggested by the RFC 7519 section 4.1.3 (https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3), the audience identifies the recipients that the JWT is intended for. For example, there are three APIS/CLIENTS with the following configuration : Id : API1 Id : API2 Id : API3 When the API1 is fetching an access token valids on the scope If it's the case, then we can make some modification in the release\2.0.11 to support this feature. |
Beta Was this translation helpful? Give feedback.
-
We made some changes in the Solution in order to support the notion of API resources.
api1 api1 has access to the scope
api2 api2 contains one resource named
You can download and execute the sample solution here. |
Beta Was this translation helpful? Give feedback.
-
The OpenID Connect spec allows for the
aud
claim to be an array.Would it be possible to associate a scope with additional audience(s)? (in our case, so that a Resource Server doesn't have to know valid audiences in advance to validate the token)
Our use case is a public facing API, where we have a dynamic list of Client applications authenticated via OIDC OP. Potentially, the API could access this list, but it would be more helpful if the issued tokens could include an additional
aud
if the User consents to the requested scope.Beta Was this translation helpful? Give feedback.
All reactions