You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I request a token using the authorization code flow, I am receiving an id_token without the 'aud' attribute.
This is happening because the request is being made with the client_id in the body of the request, using the 'x-www-form-urlencoded' content type.
This type of request is documented in the OAuth 2.0 specification: https://tools.ietf.org/html/rfc6749#section-4.1.3
In my project (a single page application), I shouldn't use the BASIC authentication scheme because I am not sending the client_secret in the request.
The authorization server could support both situations, looking at the Authorization header and at the client_id attribute in the request body.
Summary
When I request a token using the authorization code flow, I am receiving an id_token without the 'aud' attribute.
This is happening because the request is being made with the client_id in the body of the request, using the 'x-www-form-urlencoded' content type.
This type of request is documented in the OAuth 2.0 specification: https://tools.ietf.org/html/rfc6749#section-4.1.3
In my project (a single page application), I shouldn't use the BASIC authentication scheme because I am not sending the client_secret in the request.
The authorization server could support both situations, looking at the Authorization header and at the client_id attribute in the request body.
Steps to Reproduce
Sample request:
curl 'http://localhost:8083/token' -H 'Connection: keep-alive' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'Origin: http://localhost:3000' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Sec-Fetch-Site: same-site' -H 'Sec-Fetch-Mode: cors' -H 'Referer: http://localhost:3000/callback?code=b5f4ff31-2745-4d92-a74d-b1c15b526d0b&scope=openid&state=d785b4d2116e48169afdfba16f6a5f81' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en,pt-BR;q=0.9,pt;q=0.8' --data 'client_id=client_id_sample&code=b5f4ff31-2745-4d92-a74d-b1c15b526d0b&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&code_verifier=7ac9958f77384255b5449fd77d35e8ba3788f0d88fa14ea6b6d782adf9ea12ff10ea725d9f2b4367bd63af6117d89eab&grant_type=authorization_code' --compressed
The text was updated successfully, but these errors were encountered: