Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: set aud claim to Issuer #418

Merged
merged 1 commit into from
Feb 10, 2025
Merged

feat: set aud claim to Issuer #418

merged 1 commit into from
Feb 10, 2025

Conversation

paulswartz
Copy link
Collaborator

At some point, this became part of the FAPI2 spec:

https://openid.bitbucket.io/fapi/fapi-security-profile-2_0.html#section-5.3.1

Authorization servers [...] shall only accept its issuer identifier value (as defined in [RFC8414]) as a string in the aud claim received in client authentication assertions;

This also generally works with regular OIDC endpoint as well. To allow for the old behavior, we provide a token_request_claims option which can explicitly set any claims for the token request.

@paulswartz paulswartz force-pushed the aud-as-issuer-with-override branch from c90015b to afefaf7 Compare February 10, 2025 15:47
@paulswartz
feat: set aud claim to Issuer
287fc2b 
At some point, this became part of the FAPI2 spec:

https://openid.bitbucket.io/fapi/fapi-security-profile-2_0.html#section-5.3.1

> Authorization servers [...] shall only accept its issuer identifier value (as defined in [RFC8414]) as a string in the aud claim received in client authentication assertions;

This also generally works with regular OIDC endpoint as well. To allow
for the old behavior, we provide a `token_request_claims` option which
can explicitly set any claims for the token request.
@paulswartz paulswartz force-pushed the aud-as-issuer-with-override branch from afefaf7 to 287fc2b Compare February 10, 2025 15:48
@maennchen maennchen merged commit 02504bc into erlef:main Feb 10, 2025
26 checks passed
@maennchen
Copy link
Member

Thanks ❤️

@coveralls
Copy link

Pull Request Test Coverage Report for Build 249

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 2 of 2 (100.0%) changed or added relevant lines in 1 file are covered.
  • 6 unchanged lines in 2 files lost coverage.
  • Overall coverage decreased (-0.09%) to 91.866%
Files with Coverage Reduction New Missed Lines %
src/oidcc_provider_configuration_worker.erl 1 95.35%
src/oidcc_auth_util.erl 5 90.67%
Totals Coverage Status
Change from base Build 229: -0.09%
Covered Lines: 1073
Relevant Lines: 1168
💛 - Coveralls

@coveralls
Copy link

Pull Request Test Coverage Report for Build 251

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • 2 of 2 (100.0%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.007%) to 91.952%
Totals Coverage Status
Change from base Build 229: -0.007%
Covered Lines: 1074
Relevant Lines: 1168
💛 - Coveralls

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maennchen maennchen maennchen approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@paulswartz @maennchen @coveralls