You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
the audience claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim.
The same is also true for the "aud" claim from the introspection endpoint response (see RFC-7662).
Since the aforementioned principals do not need to know each other, the principal must not reject the token if it encounters further audience references, it does not understand. Heimdall currently expects however all audiences to be known.
So if a token contains an "aud" claim with the values foo, bar and heimdall is configured to expect bar, the assertion will fail leading to failed authentication.
The implementation should adhere to the requirements from the RFCs referenced above.
How can the bug be reproduced
See example given above
Relevant log output
No response
Relevant configuration
No response
Version
v0.13.0-alpha
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response
The text was updated successfully, but these errors were encountered:
Preflight checklist
Describe the bug
Citing RFC-7519, section 4.1.3:
The same is also true for the "aud" claim from the introspection endpoint response (see RFC-7662).
Since the aforementioned principals do not need to know each other, the principal must not reject the token if it encounters further audience references, it does not understand. Heimdall currently expects however all audiences to be known.
So if a token contains an "aud" claim with the values
foo, bar
and heimdall is configured to expectbar
, the assertion will fail leading to failed authentication.The implementation should adhere to the requirements from the RFCs referenced above.
How can the bug be reproduced
See example given above
Relevant log output
No response
Relevant configuration
No response
Version
v0.13.0-alpha
On which operating system are you observing this issue?
None
In which environment are you deploying?
None
Additional Context
No response
The text was updated successfully, but these errors were encountered: