Last post Jun 20, 2015 07:51 AM by BrockAllen
Jun 19, 2015 03:13 PM|BigGC|LINK
My problem appears to be a bug in the Microsoft implementation.
I am using the documentation at:
One of the things that is returned in a JWT is the "aud" parameter which is the audience.
According to the Open ID Connect spec:
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive
strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
My client id is 00000001234 (not my real ID, just an example).
I make it through the handshake and everything is groovy, I get my nonce "code" from Windows Live, then I exchange it for my token, but the token I get back has an "aud" value of:
When doing token validation I check "aud" value in the returned token and the "aud" does not match the configured cliend_id, which it should, according to the spec.
My question is, other than not validating the audience of the token, is there any way to configure the app, in the MS Developer console so that it returns the client ID correctly for the "aud" value in the returned token?
Jun 20, 2015 07:24 AM|flcdrg|LINK
This question might be better asked in the Security group?
Jun 20, 2015 07:51 AM|BrockAllen|LINK
The aud claim usually maps to your client id -- this means it's typically defined by the provider (live in this case). So it seems like a bug (somewhere) that you're able to pass the wrong client id and get back a token. Try passing the longer client id
in the initial request and see what live does.