Menu
▾
▴
Re: [Unity-idm-discuss] audience in token exchange
|
From: Krzysztof B. <kb...@un...> - 2022-10-18 10:12:54
|
Hi Sander, W dniu 11.10.2022 o 08:40, Sander Apweiler pisze: > Hi Krzysztof, > last week we had a meeting with service providers and the developers of > their service about the token exchange mechanism in unity. We had the > problem that the service did not work with unity anymore after a > service update. The software is CERN's FTS3 (file transfer service). We > also found the problem: Using the token exchange mechanism unity > requires the audience claim, which is clearly written in the manual. > But in RFC 8693 (OAuth 2.0 Token Exchange), the audience is defined as > optional. Other IdM solutions like EGI-CheckIn and Indigo IAM (used by > WLCG) do not require the audience claim for token exchange and CERN FTS > does also not send this. What is the reason for unity to make it > mandatory and do you see any possibilities to change this to optional? > Is it possible to use multiple audiences in the claim if unity requires > the requesting client_id to be in there? FTS needs to alter the > audience for delegation on behalf of a user. All you wrote is correct. For the early use-cases of token exchange back when it was implemented, we added a simplification which you described around mandatory audience. The reason is: we have simpler code and have to worry about AuthZ less :-) Yes, it should be possible to lift this limitation, as well as allow for multiple audiences. It won't be a very easy change, but also not super difficult. Best, Krzysztof |
