[
https://issues.apache.org/jira/browse/CXF-6753?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sergey Beryozkin resolved CXF-6753.
-----------------------------------
Resolution: Fixed
better now, it can be aligned with the future standardization efforts as needed
> OAuth2 audience support is incomplete
> -------------------------------------
>
> Key: CXF-6753
> URL: https://issues.apache.org/jira/browse/CXF-6753
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS, JAX-RS Security
> Reporter: Sergey Beryozkin
> Assignee: Sergey Beryozkin
> Fix For: 3.1.5, 3.2.0
>
>
> The audience support in the OAuth2 code was done awhile back based on the now
> expired draft, and while no standard is available, it is important to update
> the model now that it is getting integrated into Fediz/etc. Specifically, a
> single audience is only supported in the model while multiple audiences per
> token are possible.
> Token introspection response may include a single or multiple audiences, with
> a single audience being allowed to be reported as a non-array (as per JWT
> audience).
> Audience checks need to be updated too. The audience, if reported to the
> token/authorization endpoint, will have to be contained in the list of client
> audiences created during the registration. This can be relaxed in the future
> and become more dynamic
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
