cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <>
Subject [jira] [Created] (CXF-6753) OAuth2 audience support is incomplete
Date Thu, 21 Jan 2016 13:00:43 GMT
Sergey Beryozkin created CXF-6753:

             Summary: OAuth2 audience support is incomplete
                 Key: CXF-6753
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS, JAX-RS Security
            Reporter: Sergey Beryozkin
            Assignee: Sergey Beryozkin
             Fix For: 3.1.5, 3.2.0

The audience support in the OAuth2 code was done awhile back based on the now expired draft,
and while no standard is available, it is important to update the model now that it is getting
integrated into Fediz/etc. Specifically, a single audience is only supported in the model
while multiple audiences per token are possible. 
Token introspection response may include a single or multiple audiences, with a single audience
being allowed to be reported as a non-array (as per JWT audience).
Audience checks need to be updated too. The audience, if reported to the token/authorization
endpoint, will have to be contained in the list of client audiences created during the registration.
This can be relaxed in the future and become more dynamic 

This message was sent by Atlassian JIRA

View raw message