You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences.
570
+
</blockquote>
571
+
572
+
Despite of the fact that the _audience_ claim is not specified or mandatory for access tokens
573
+
specifying and validating the _audience_ claim of access tokens is strongly recommended by OAuth 2 & OIDC experts
574
+
to avoid misusing access tokens for other resource servers.
575
+
There is also a new [draft specification](https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt)
576
+
on the way to provide a standardized and interoperable profile as an alternative
577
+
to the proprietary JWT access token layouts.
578
+
579
+
So we should also validate that only those requests bearing access tokens containing the
580
+
expected value of "library-service" in the _audience_ claim are successfully authenticated.
569
581
570
582
So let's create a new class_AudienceValidator_ in package _com.example.library.server.security_
571
583
with the following contents:
@@ -741,8 +753,9 @@ Now, with our previous changes this request should succeed with an '200' OK stat
741
753
742
754
<hr>
743
755
744
-
This ends part 1 of this lab. Wecontinue with part 2 to replace the automatic mapping with our
745
-
own custom mapping.
756
+
This ends part 1 of this lab.
757
+
Wecontinue with [part 2](#lab-1---part-2) to have a closer look
758
+
into a resource server just using the automatic mapping provided by SpringSecurity5.
746
759
747
760
__<u>ImportantNote</u>__:If you could not manage to finish part 1 then just use the
748
761
project __lab1/library-server-complete-custom__ for the next labs.
0 commit comments