Skip to content

Add option to require a valid aceess token audience #27567

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ragnard wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add option to require a valid aceess token audience #27567

ragnard wants to merge 1 commit into from

Conversation

@ragnard
Copy link
Member

@ragnard ragnard commented Dec 6, 2025
edited
Loading

Description

Add a config option to require OAuth2 access tokens to have an aud claim.

Previously, a null audience was always added as a valid audience, meaning that an access token without the aud claim would be accepted.

This behaviour is not always desirable. This change introduces a new config option:

  • http-server.authentication.oauth2.require-audience=true/false.

If false (default), the behaviour is as before this change. If true, access tokens without an aud claim will not be accepted.

Additional context and related issues

Similar issues have been raised before:

Release notes

( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(x) Release notes are required, with the following suggested text:

## Section
* Add OAuth2 configuration option to require an `aud` claim.

@cla-bot cla-bot bot added the cla-signed label Dec 6, 2025
@ragnard ragnard force-pushed the oauth-require-audience branch 3 times, most recently from d0da875 to 69e3bee Compare December 6, 2025 09:57
@github-actions github-actions bot added the docs label Dec 6, 2025
@ragnard ragnard force-pushed the oauth-require-audience branch 2 times, most recently from 3235aa7 to 061002c Compare December 6, 2025 10:18
@ragnard ragnard force-pushed the oauth-require-audience branch from 061002c to 207bdae Compare December 6, 2025 10:32
@ragnard ragnard requested a review from mosabua December 6, 2025 12:12
@ragnard ragnard marked this pull request as ready for review December 6, 2025 12:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mosabua mosabua Awaiting requested review from mosabua

@lukasz-walkiewicz lukasz-walkiewicz Awaiting requested review from lukasz-walkiewicz

Assignees

No one assigned

Labels

cla-signed docs

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ragnard