You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm using flask-oidc 1.4.0 on a resource server, and I have the following config settings set:
app.config.update({
'SECRET_KEY': 'not a very secret key',
'TESTING': True,
'DEBUG': True,
'OIDC_CLIENT_SECRETS': 'client_secrets.json',
'OIDC_RESOURCE_SERVER_ONLY': True,
'OIDC_RESOURCE_CHECK_AUD': True,
})
I expected my application to always verify that the "aud" parameter contained my client id, but it seems this check only happens if "aud" is actually present in the access token. If there is no "aud" field, the check does not seem to happen (and the request is allowed)?!
Is this the expected behavior? I was expecting the request would be rejected if "aud" was not present in the access token (similar to an invalid value).
Regards,
Rik
The text was updated successfully, but these errors were encountered:
Hi,
I'm using flask-oidc 1.4.0 on a resource server, and I have the following config settings set:
I expected my application to always verify that the "aud" parameter contained my client id, but it seems this check only happens if "aud" is actually present in the access token. If there is no "aud" field, the check does not seem to happen (and the request is allowed)?!
Is this the expected behavior? I was expecting the request would be rejected if "aud" was not present in the access token (similar to an invalid value).
Regards,
Rik
The text was updated successfully, but these errors were encountered: