Wrong azp value in TokenExchange JWT
#794
Labels
bug
Something isn't working
Comments
|
Hi, and thanks for reporting this issue! It seems like the change introduced in commit 5aa7bdb in version 2.1.10 is affecting the azp claim in the JWT resulting from the OAuth2 TokenExchange grant flow. We appreciate you pointing this out, and we’ll take a closer look to ensure that the azp claim correctly reflects the ClientID as defined in the spec. If you have any further insights or additional details, feel free to share them! We're grateful for your help in making this library better. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version affected:
2.1.10.This change: 5aa7bdb introduced in the version
2.1.10causes that a JWT resulting from the OAuth2 TokenExchange grant flow (https://www.rfc-editor.org/rfc/rfc8693.html) has a wrong value for theazpclaim.The
azpif present, must be the ClientID of the requesting party (see: OpenID Connect Core 1.0), that is the Actor that requests the token on behalf of the Subject, see: https://www.rfc-editor.org/rfc/rfc8693.html#name-request.This works as expected in the version
2.1.9The text was updated successfully, but these errors were encountered: