Menu
▾
▴
[Unity-idm-discuss] audience in token exchange
|
From: Sander A. <sa....@fz...> - 2022-10-11 06:40:19
|
Hi Krzysztof, last week we had a meeting with service providers and the developers of their service about the token exchange mechanism in unity. We had the problem that the service did not work with unity anymore after a service update. The software is CERN's FTS3 (file transfer service). We also found the problem: Using the token exchange mechanism unity requires the audience claim, which is clearly written in the manual. But in RFC 8693 (OAuth 2.0 Token Exchange), the audience is defined as optional. Other IdM solutions like EGI-CheckIn and Indigo IAM (used by WLCG) do not require the audience claim for token exchange and CERN FTS does also not send this. What is the reason for unity to make it mandatory and do you see any possibilities to change this to optional? Is it possible to use multiple audiences in the claim if unity requires the requesting client_id to be in there? FTS needs to alter the audience for delegation on behalf of a user. Best regards, Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Astrid Lambrecht, Prof. Dr. Frauke Melchior ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
