Support azp and multiple audiences : Oracle IDCS sign in is successful, but isAuthenticated is false and token is blank

[rajup3]

Trying to implement implicit flow as below,
- Configuration is as https://github.com/rajup3/ng-auth-oidc/blob/master/src/app/app.module.ts
- OidcModuleSetup is successful and auto login component initiating request for this.oidcSecurityService.authorize();
- User is shown the Oracle IDCS login page
- User enters useername and password
- User redirected to redirect URL
- After login window.location.hash is showing access_token and id_token
- But this.oidcSecurityService.getIdToken() and this.oidcSecurityService.getToken() are blank

Please suggest, if any configuration is missing.

Code is available here https://github.com/rajup3/ng-auth-oidc

[niw219]

I am also trying to implement with IDCS.
After looking through the code and with prior experience using OIDC with IDCS, I have realized that the issue relates to the audience retrieved from the token. IDCS includes both the client id and a generic oracle identity cloud url for the audience value, but the validation does not accommodate this. We have had conversations with the Oracle development team regarding this issue and they have cited the official OIDC documentation saying this is actually the correct audience value. Would there be able to be a change to accommodate this? Or be able to include additional custom trusted values for the "aud" value.

[damienbod]

@rajup3 @niw219 yes, if it's an value defined in the spec, yes. I don't have a test system to implement this. Could you maybe do a PR so this can be supported, or send me the info so we can support this

additional custom trusted values for the "aud" would be something which could be implemented with little effort.

Greetings Damien

[niw219]

You can find the original document here: https://openid.net/specs/openid-connect-basic-1_0.html

Some of the highlighted points to support this:

Info in the ID Token section (2.2):

aud: REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case-sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case-sensitive string.

azp: OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party. It MAY be included even when the authorized party is the same as the sole audience. The azp value is a case-sensitive string containing a StringOrURI value.

Info in the ID Token Validation Section:

_The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience, or if it contains additional audiences not trusted by the Client.

If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
If an azp (authorized party) Claim is present, the Client SHOULD verify that its client_id is the Claim Value._

I think that the current code only accommodates one audience value that is equivalent to the client id.

[damienbod]

Thanks for reporting
fixed in version 11