cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CXF-6753) OAuth2 audience support is incomplete
Date Fri, 22 Jan 2016 16:06:39 GMT

     [ https://issues.apache.org/jira/browse/CXF-6753?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sergey Beryozkin resolved CXF-6753.
-----------------------------------
    Resolution: Fixed

better now, it can be aligned with the future standardization efforts as needed

> OAuth2 audience support is incomplete
> -------------------------------------
>
>                 Key: CXF-6753
>                 URL: https://issues.apache.org/jira/browse/CXF-6753
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS, JAX-RS Security
>            Reporter: Sergey Beryozkin
>            Assignee: Sergey Beryozkin
>             Fix For: 3.1.5, 3.2.0
>
>
> The audience support in the OAuth2 code was done awhile back based on the now expired
draft, and while no standard is available, it is important to update the model now that it
is getting integrated into Fediz/etc. Specifically, a single audience is only supported in
the model while multiple audiences per token are possible. 
> Token introspection response may include a single or multiple audiences, with a single
audience being allowed to be reported as a non-array (as per JWT audience).
> Audience checks need to be updated too. The audience, if reported to the token/authorization
endpoint, will have to be contained in the list of client audiences created during the registration.
This can be relaxed in the future and become more dynamic 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message