Token request containing audience with trailing slash provisioned but missing scopes
We've had a couple instances of our API's consumers requesting tokens, but when setting the audience in their token request, adding a trailing slash to the audience domain.
In the API definition in Kinde, the audience does not have this trailing slash.
The result is that a token is granted (with the provided audience), but it has no scopes included in the token
My expectation is that the request would either provide a token with the usual scopes (as if the audience had been provided with the exact correct domain/audience), OR the request would be rejected as if the caller had provided an incorrect audience.
n.b. this appears to be the case for any amount of trailing path after the slash as well. Is this intended behaviour?
9 Replies
Hi there,
Thanks for reach out.
Based on our Token Customization docs, the audience value in your token request must match the registered API audience exactly. If additional characters (like a trailing slash or extra path) are appended, the expected behavior would be to either normalize the audience so that the usual scopes are applied or to reject the request outright. This isn’t what you’re seeing, which indicates a behavior that we didn’t intend. For more details, please refer to our documentation on token customization here: https://docs.kinde.com/build/tokens/token-customization/ Let me know if you have any questions or need further clarification
Thanks for reach out.
Based on our Token Customization docs, the audience value in your token request must match the registered API audience exactly. If additional characters (like a trailing slash or extra path) are appended, the expected behavior would be to either normalize the audience so that the usual scopes are applied or to reject the request outright. This isn’t what you’re seeing, which indicates a behavior that we didn’t intend. For more details, please refer to our documentation on token customization here: https://docs.kinde.com/build/tokens/token-customization/ Let me know if you have any questions or need further clarification
That sounds right - do you need anything else from me to open a bug report?
Hi,
Thanks for confirming. I’ll pass this along to our engineering team for further investigation.
I’ll keep you updated on any developments. In the meantime, if you come across any additional details or related issues, feel free to share them.
Thanks!
Hi,
Thank you for reaching out. We've reviewed your case and confirmed that audience values must be an exact match. If an audience includes a trailing slash or additional path, the token request may be processed incorrectly, resulting in a token being granted without the expected scopes.
To avoid this issue, please ensure that the audience in your token requests matches exactly as configured, without any extra slashes or modifications.
Let us know if you have any questions or need further assistance
Unfortunately it's our clients making the mistake, so as much as we can document that it needs to be exact, it hasn't stopped them making typos so far.
Just realised I posted this in #💻┃support instead of #🪲┃bug-reports , so apologies for that. Are you intending to apply a fix to reject invalid audiences?
Hi there, hope you are doing great.
This is Patrick from Kinde.
I take this over from Ages since he's on leave for a few days.
You are correct. It should reject the wrong audience. I already informed our engineering team, and they are taking action.
I will keep you updated on this.
Please let me know if you have any questions or need further assistance.
Sounds good - thanks for following up, appreciate it!
I am happy to help here.
I will get back to you if there's any update.
Don't hesitate to keep asking.
I will get back to you if there's any update.
Don't hesitate to keep asking.