directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jiajia Li (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRKRB-435) JWT Audience restriction validation is not working
Date Tue, 27 Oct 2015 03:03:27 GMT

    [ https://issues.apache.org/jira/browse/DIRKRB-435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14975590#comment-14975590
] 

Jiajia Li commented on DIRKRB-435:
----------------------------------

In Token-preauth.pdf under directory-kerby/docs, there is a desciption of audience:

""aud" (Audience) Claim. This claim SHOULD specify the token audience appropriately, for Identity
Token, the value SHOULD be the principal name of the Ticket Granting Service including the
realm; for Access Token the value SHOULD be the principal name of the target service including
the realm. The mechanism uses this attribute to determine the input token is an Identity Token
or an Access Token."

So we can check the idtoken audience with tgs principal.

> JWT Audience restriction validation is not working
> --------------------------------------------------
>
>                 Key: DIRKRB-435
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-435
>             Project: Directory Kerberos
>          Issue Type: Bug
>            Reporter: Colm O hEigeartaigh
>             Fix For: 1.0.0-RC2
>
>
> When specifying a different JWT audience restriction value in the tests, validation is
not failing. See the @Ignored test "testBadAudienceRestriction" in WithAccessTokenKdcTest/WithIdentityTokenKdcTest
in the source.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message