Is API management not validating token Audience something Wanted ?

[scandinave]

Hi,

I've seen that management API does not validate the token audience. The AudienceRule is not applied in the DelegatedAuthenticationExtension. I think it must be done like it is in the Oauth2ServiceExtension otherwise the Management API will authorize tokens emitted by the correct Authorization Server but intended for a different resources serveur protected with the authorization server

Do I miss something?

[scandinave]

@paullatzelsperger, I see that you have participated in the code of the DelegatedAuthenticationExtension. Any advice on this question ?

[paullatzelsperger]

it could be as simple as an oversight, but I wonder, what the expected audience would be. Doing this properly, we'd probably have to read it from a config value, possibly falling back to the participantId, or even throwing an error in its absence.

[scandinave]

Good point. If you are ok, I will try to do a PR for this. I can add this behind a config flag to not introduce a breaking change.

[paullatzelsperger]

sure, go ahead.

[paullatzelsperger]

@scandinave when you do, please either convert this discussion into an issue, or create a new issue and link it here so we don't lose the paper trail.