Return-Path: X-Original-To: apmail-directory-dev-archive@www.apache.org Delivered-To: apmail-directory-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 63DF8187A4 for ; Tue, 27 Oct 2015 03:03:28 +0000 (UTC) Received: (qmail 81215 invoked by uid 500); 27 Oct 2015 03:03:28 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 81137 invoked by uid 500); 27 Oct 2015 03:03:27 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 81110 invoked by uid 99); 27 Oct 2015 03:03:27 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 Oct 2015 03:03:27 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id AB9D52C1F58 for ; Tue, 27 Oct 2015 03:03:27 +0000 (UTC) Date: Tue, 27 Oct 2015 03:03:27 +0000 (UTC) From: "Jiajia Li (JIRA)" To: dev@directory.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (DIRKRB-435) JWT Audience restriction validation is not working MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/DIRKRB-435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14975590#comment-14975590 ] Jiajia Li commented on DIRKRB-435: ---------------------------------- In Token-preauth.pdf under directory-kerby/docs, there is a desciption of audience: ""aud" (Audience) Claim. This claim SHOULD specify the token audience appropriately, for Identity Token, the value SHOULD be the principal name of the Ticket Granting Service including the realm; for Access Token the value SHOULD be the principal name of the target service including the realm. The mechanism uses this attribute to determine the input token is an Identity Token or an Access Token." So we can check the idtoken audience with tgs principal. > JWT Audience restriction validation is not working > -------------------------------------------------- > > Key: DIRKRB-435 > URL: https://issues.apache.org/jira/browse/DIRKRB-435 > Project: Directory Kerberos > Issue Type: Bug > Reporter: Colm O hEigeartaigh > Fix For: 1.0.0-RC2 > > > When specifying a different JWT audience restriction value in the tests, validation is not failing. See the @Ignored test "testBadAudienceRestriction" in WithAccessTokenKdcTest/WithIdentityTokenKdcTest in the source. -- This message was sent by Atlassian JIRA (v6.3.4#6332)