Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
Unknown
Description
The audience support in the OAuth2 code was done awhile back based on the now expired draft, and while no standard is available, it is important to update the model now that it is getting integrated into Fediz/etc. Specifically, a single audience is only supported in the model while multiple audiences per token are possible.
Token introspection response may include a single or multiple audiences, with a single audience being allowed to be reported as a non-array (as per JWT audience).
Audience checks need to be updated too. The audience, if reported to the token/authorization endpoint, will have to be contained in the list of client audiences created during the registration. This can be relaxed in the future and become more dynamic