Token request containing audience with trailing slash provisioned but missing scopes
We've had a couple instances of our API's consumers requesting tokens, but when setting the audience in their token request, adding a trailing slash to the audience domain.
In the API definition in Kinde, the audience does not have this trailing slash.
The result is that a token is granted (with the provided audience), but it has no scopes included in the token
My expectation is that the request would either provide a token with the usual scopes (as if the audience had been provided with the exact correct domain/audience), OR the request would be rejected as if the caller had provided an incorrect audience.
n.b. this appears to be the case for any amount of trailing path after the slash as well. Is this intended behaviour?
5 Replies
Hi there,
Thanks for reach out.
Based on our Token Customization docs, the audience value in your token request must match the registered API audience exactly. If additional characters (like a trailing slash or extra path) are appended, the expected behavior would be to either normalize the audience so that the usual scopes are applied or to reject the request outright. This isn’t what you’re seeing, which indicates a behavior that we didn’t intend. For more details, please refer to our documentation on token customization here: https://docs.kinde.com/build/tokens/token-customization/ Let me know if you have any questions or need further clarification
Thanks for reach out.
Based on our Token Customization docs, the audience value in your token request must match the registered API audience exactly. If additional characters (like a trailing slash or extra path) are appended, the expected behavior would be to either normalize the audience so that the usual scopes are applied or to reject the request outright. This isn’t what you’re seeing, which indicates a behavior that we didn’t intend. For more details, please refer to our documentation on token customization here: https://docs.kinde.com/build/tokens/token-customization/ Let me know if you have any questions or need further clarification
That sounds right - do you need anything else from me to open a bug report?
Hi,
Thanks for confirming. I’ll pass this along to our engineering team for further investigation.
I’ll keep you updated on any developments. In the meantime, if you come across any additional details or related issues, feel free to share them.
Thanks!
Hi,
Thank you for reaching out. We've reviewed your case and confirmed that audience values must be an exact match. If an audience includes a trailing slash or additional path, the token request may be processed incorrectly, resulting in a token being granted without the expected scopes.
To avoid this issue, please ensure that the audience in your token requests matches exactly as configured, without any extra slashes or modifications.
Let us know if you have any questions or need further assistance