I've protected a resource api with client credential flow bearer in IDS4. I can specify audience and if it does not match the name in the apiresource defined in IDS4 the token fails to validate as expected.
Snippet from IDS4
public static IEnumerable<ApiResource> ApiResources =>
new List<ApiResource>
{
new ApiResource("api6")
{
Scopes = { "api6" },
UserClaims =
{
JwtClaimTypes.Audience
}
},
};
Snippet from Resource Api
builder.Services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
options.Authority = "https://localhost:5001";
//options.Audience = "api6"; // works as expected
options.Audience = "api7"; // Fails as expected
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateAudience = true
};
});
However, if i remove the ValidateAudience = true from the api, it all becomes meaningless unless i can enforce IDS4 to make an audience mandatory.
I'm looking to set a property somewhere in the identity server that's something like AudienceRequired=true;
So when the token is validated, it checks for the presence of the aud claim and it's a relevant registered audience.
IE, how do i stop another API resource using the same creds? (Granted you could hack the audience to be the same as another API.)
It just seems pointless specifying audience validation in the resource if it's not enforced on the identity server and you can turn off in code? Am i missing something?....
