ory
oauth2: Custom audience param in /oauth2/auth is ignored
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [ ] This issue affects my Ory Cloud project.
- [ ] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Describe the bug
Hydra doesn't handle custom audience param in /oauth2/auth request. Only the default audience is present in ID Token by default which is the client name.
Reproducing the bug
Steps to reproduce the behavior:
- Follow the 5 minute tutorial, to setup hydra.
- Create client with id auth-code-client that is capable of Authorization Code Grant and audience is set to
https://foo.bar.buz.
docker-compose -f quickstart.yml exec hydra \
hydra clients create \
--endpoint http://127.0.0.1:4445 \
--id auth-code-client \
--secret secret \
--audience "https://foo.bar.buz" \
--grant-types authorization_code,refresh_token \
--response-types code,id_token \
--scope openid,offline \
--callbacks http://127.0.0.1:5555/callback
- Setup home route:
docker-compose -f quickstart.yml exec hydra \
hydra token user \
--client-id auth-code-client \
--client-secret secret \
--endpoint http://127.0.0.1:4444/ \
--port 5555 \
--scope openid,offline
- Copy the Authorize application link.
- Modify the
audienceparameter value to be set tohttps%3A%2F%2Ffoo.bar.buz, so the link should be like:http://127.0.0.1:4444/oauth2/auth?audience=https%3A%2F%2Ffoo.bar.buz&client_id=auth-code-client&max_age=0&nonce=wdhoiprayklzkvzatwowmzsp&prompt=&redirect_uri=http%3A%2F%2F127.0.0.1%3A5555%2Fcallback&response_type=code&scope=openid+offline&state=jojcywqutzgnoqwbramhkjza - Copy the link from the previous step, and continue the authorization.
- Copy the value of the encoded ID Token
- You should receive an encoded ID Token. After decoding it on https://jwt.io/ you will get something like:
{
"at_hash": "gz3Pl_WR1EG1xViTQ2Vh-Q",
"aud": [
"auth-code-client"
],
"auth_time": 1665581337,
"exp": 1665585234,
"iat": 1665581634,
"iss": "http://127.0.0.1:4444/",
"jti": "55fc9802-e6e9-4f19-9b52-8e2ab5923b13",
"nonce": "hosviywywcflwlceuxsradyd",
"rat": 1665581629,
"sid": "095bcc88-640a-47e0-89fa-f754a576058b",
"sub": "[email protected]"
}
Expected Result
{
"at_hash": "gz3Pl_WR1EG1xViTQ2Vh-Q",
"aud": [
"https://foo.bar.buz"
],
"auth_time": 1665581337,
"exp": 1665585234,
"iat": 1665581634,
"iss": "http://127.0.0.1:4444/",
"jti": "55fc9802-e6e9-4f19-9b52-8e2ab5923b13",
"nonce": "hosviywywcflwlceuxsradyd",
"rat": 1665581629,
"sid": "095bcc88-640a-47e0-89fa-f754a576058b",
"sub": "[email protected]"
}
What is the expected behavior? Hydra should handle the audience param in /oauth2/auth request and then create an ID Token that contains a custom audience only those that were requested, and if not exist it can fall back to the current value.
Relevant log output
No response
Relevant configuration
No response
Version
v1.11.10
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
Docker Compose
Additional Context
No response
Still an issue.
Found that the client ID is hard-coded for the ID token claims here: https://github.com/ory/hydra/blob/017ebae6e65a773f89d4f4d635e8694f83900f09/oauth2/handler.go#L1120
Regardless of correctly specifying the requested audience and the audience being allow-listed. https://github.com/ory/hydra/blob/017ebae6e65a773f89d4f4d635e8694f83900f09/oauth2/handler.go#L1076
Ironically it seems like fosite then appends the client ID again and deduplicates it: https://github.com/ory/fosite/blob/5e039ca9eef18ba5317f62760e111214bf93945f/handler/openid/strategy_jwt.go#L228
Note that it only applies for the ID token. When using:
strategies:
access_token: jwt
The access token will set the requested audience(s).
