aud cliam is missing in token introspection response #22100
Labels
Priority/High
QA-Reported
Issues reported by a QA
Team/API Access Mgt & Authorization
Type/Improvement
Comments
NilukaSripalim
added
Type/Improvement
Priority/High
QA-Reported
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
When validating access tokens obtained via a refresh token, the token introspection response the
aud(audience) claim is missing , for opaque tokens.Additionally, during authorization code grants, the aud claim is intermittently missing in the token introspection response for opaque tokens.
For same token, sometimes 'aud ` is there , sometimes it is missing in response
Note: OAuth 2.0 Token Introspection specification, the aud (audience) claim is optional in the introspection response. However, Missing aud in an opaque token introspection response can cause confusion about the token's audience, leading to potential misuse.
Reproduceble in Asgardeo Dev , Prod also
Steps to Reproduce
Obtain an access token using a refresh token.
Try token introspection using the opaque token.
Observe that the aud parameter is intermittently missing from the introspection response.
Version
7.1
Environment Details (with versions)
Deice : MacBook
MacOS
The text was updated successfully, but these errors were encountered: