client_id in Access Token aud

With the help of __django-oidc-op/snippts/rp_hanlder.py__ here I post the debugging information regarding an ordinary oidcendpoint/oidcrp session.

in OAuth2 aud it's optional, as described here:
https://tools.ietf.org/html/rfc7519#section-4.1.3 

In OIDC not: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

````
python3 snippets/rp_handler.py -c example/data/oidc_rp/conf.django.yaml -u that_user -p that_password -iss django_oidc_op
````

````
Client registration done...
Connecting to Authorization url:
 {
  "url": "https://127.0.0.1:8000/authorization?redirect_uri=https%3A%2F%2F127.0.0.1%3A8099%2Fauthz_cb%2Fdjango_oidc_op&scope=openid+that_scope+profile+email+address+phone&response_type=code&nonce=wCn0Bncr7m6sRO10P5f7SA5o&state=ytSp5K8X5XvE5RCfEFmEpHqHZVn5kYgx&code_challenge=ycWJAoBgUEH9NyRPEsUJwvRtTUAsDRMKvMecaLs9d_8&code_challenge_method=S256&client_id=1UUl6cwNigmj",
  "state": "ytSp5K8X5XvE5RCfEFmEpHqHZVn5kYgx"
}


The Authorization endpoint returns a HTML authentication form with a token
 {
  "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImJXdG9SekV4VXkxak9GVXlSV2hwZUdkbFREWlBaME55TW1ka05ERlFaakJSUzJreVQwaExVazVJUVEifQ.eyJhdXRobl9jbGFzc19yZWYiOiAib2lkY2VuZHBvaW50LnVzZXJfYXV0aG4uYXV0aG5fY29udGV4dC5JTlRFUk5FVFBST1RPQ09MUEFTU1dPUkQiLCAicXVlcnkiOiAicmVkaXJlY3RfdXJpPWh0dHBzJTNBJTJGJTJGMTI3LjAuMC4xJTNBODA5OSUyRmF1dGh6X2NiJTJGZGphbmdvX29pZGNfb3Amc2NvcGU9b3BlbmlkK3RoYXRfc2NvcGUrcHJvZmlsZStlbWFpbCthZGRyZXNzK3Bob25lJnJlc3BvbnNlX3R5cGU9Y29kZSZub25jZT13Q24wQm5jcjdtNnNSTzEwUDVmN1NBNW8mc3RhdGU9eXRTcDVLOFg1WHZFNVJDZkVGbUVwSHFIWlZuNWtZZ3gmY29kZV9jaGFsbGVuZ2U9eWNXSkFvQmdVRUg5TnlSUEVzVUp3dlJ0VFVBc0RSTUt2TWVjYUxzOWRfOCZjb2RlX2NoYWxsZW5nZV9tZXRob2Q9UzI1NiZjbGllbnRfaWQ9MVVVbDZjd05pZ21qIiwgInJldHVybl91cmkiOiAiaHR0cHM6Ly8xMjcuMC4wLjE6ODA5OS9hdXRoel9jYi9kamFuZ29fb2lkY19vcCIsICJpc3MiOiAiaHR0cHM6Ly8xMjcuMC4wLjE6ODAwMCIsICJpYXQiOiAxNTk1OTMyNzI3fQ.VKnZZmWuHuOZjgaUUn7A5X5TjZaGeuuv8AjpwMkYdtmpxr31GEEOnmltjU3burmIZV1qOZC4vnRTZntAXO8GflwRkjtKBPvewGqkz4etHVZEkHZ3nKMG8zolFuU7xdYuV9wUok0ZzNh52qWcLhGOHTvBsfHB5gN7JXYSKF33Ii1JlwYL--nJLuIQRvV2MjyzzS01GGJ_Zlk2zWaox7MsWQeTcFk4HBnfaGc1ugjVJsMqpNwRmWvronVvU-93MvfVK46lhUQlvJuZNRJ2tlHc3JVvCDYmTfFk-MVlt_LhuTk90_u1G35lpX0klLavdgkOorUheJVVPsqCj9aME0GdqQ",
  "url": "verify/oidc_user_login/"
}


The Authorization returns a HttpRedirect (302) to https://127.0.0.1:8099/authz_cb/django_oidc_op?state=ytSp5K8X5XvE5RCfEFmEpHqHZVn5kYgx&scope=openid+that_scope+profile+email+address+phone&code=Z0FBQUFBQmZJQUE0YWFwUkdiMzhQM3oxNTkzNDZ4QlRQZjNlbUNIeXIwM1kwSkVZSHRzc0pueE01dndyZ2YxZXdzRVVGWGFlTXNmOFFGM3I3cW5iMEE5Uk9xXzFJQzRuN0tOd0ZrVzJwYlk3M2xIa3pCRGh4eUgySTRIaE9aVlhQSDFGenFwTHduR0NDc0tmSUJ3d3RsaXdLRldIMjQ1STcxRU5oWUE1WHIwb3B4ZWU2V1ZldndsRjBSWU1wOUF4N3owcDFWV2QzSDZtcUQzU0JKUW5qemxPdzFOdE5SWnJ4VXJ3N3hpM0dlYTZSYkROSmZyNURQWT0%3D&session_state=bc627c1120c4bb6fc3c6296d24fe926c9740b0f7944ce0e0c55c65b6055b5085.w9fW3DOoKcYD3nvU&iss=https%3A%2F%2F127.0.0.1%3A8000&client_id=1UUl6cwNigmj
 {}


Bearer Access Token
 "eyJhbGciOiJFUzI1NiIsImtpZCI6IlQwZGZTM1ZVYUcxS1ZubG9VVTQwUXpJMlMyMHpjSHBRYlMxdGIzZ3hZVWhCYzNGaFZWTlpTbWhMTUEifQ.eyJzaWQiOiAiYzBlY2QxMTFjMTM5MmM1N2M2YjE3MWZkMmNiYjJkMzFjMGM2NjUyOGVhN2QwZGFlZTNkODk2YTgiLCAidHR5cGUiOiAiVCIsICJzdWIiOiAiMDc2ZWNjYTk0ZmU0NTQ2N2I0NDM1ZDhlZWFkMjE4OGFkMzc3MWUxMGZmNjcyY2UxOTMwYzA0YWE4NjI0MTgxYyIsICJpc3MiOiAiaHR0cHM6Ly8xMjcuMC4wLjE6ODAwMCIsICJpYXQiOiAxNTk1OTMyNzI4LCAiZXhwIjogMTU5NTkzNjMyOCwgImF1ZCI6IFsiMVVVbDZjd05pZ21qIiwgImh0dHBzOi8vMTI3LjAuMC4xOjgwMDAiXX0.tAyozYfL6EpbZ0v_31_pm6MbeuD5RSILqZuIyObks_vJEzUOU1qqi4zxt4jz05s002u8y795NZPMqlgjpNNWFw"


Access Token
 {
  "sid": "c0ecd111c1392c57c6b171fd2cbb2d31c0c66528ea7d0daee3d896a8",
  "ttype": "T",
  "sub": "076ecca94fe45467b4435d8eead2188ad3771e10ff672ce1930c04aa8624181c",
  "iss": "https://127.0.0.1:8000",
  "iat": 1595932728,
  "exp": 1595936328,
  "aud": [
    "1UUl6cwNigmj",
    "https://127.0.0.1:8000"
  ]
}


ID Token
 {
  "sub": "076ecca94fe45467b4435d8eead2188ad3771e10ff672ce1930c04aa8624181c",
  "auth_time": 1595932727,
  "acr": "oidcendpoint.user_authn.authn_context.INTERNETPROTOCOLPASSWORD",
  "nonce": "wCn0Bncr7m6sRO10P5f7SA5o",
  "iss": "https://127.0.0.1:8000",
  "iat": 1595932728,
  "exp": 1595933028,
  "aud": [
    "1UUl6cwNigmj"
  ]
}


Userinfo endpoint result:
 {
  "email": "giuseppe.demarco@unical.it",
  "given_name": "Giuseppe",
  "family_name": "De Marco",
  "gender": "male",
  "birthdate": "2020-07-26",
  "updated_at": 1595931659,
  "sub": "076ecca94fe45467b4435d8eead2188ad3771e10ff672ce1930c04aa8624181c"
}
```` 

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

client_id in Access Token aud #74

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

client_id in Access Token aud #74

Description

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions