Skip to content
This repository has been archived by the owner on Jan 24, 2024. It is now read-only.

[DOCS] Bug in OAuth2 instructions - mixup between scope and audience? #1688

Open
devinbost opened this issue Jan 11, 2023 · 0 comments
Open
Labels

Comments

@devinbost
Copy link

On the page https://github.com/streamnative/kop/blob/master/docs/security.md#oauthbearer, it shows an example client configuration of scope equaling api://pulsar-cluster-1/.default and audience equaling https://broker.example.com.
However, RFC-6749 section 3.3 indicates that the Access Token Scope parameter ("scope") is to inform the authorization server of the authorization scope requested by the client. (A given access token can carry multiple scopes, as explained here: https://community.auth0.com/t/understanding-how-the-audience-concept-actually-works/34011/3 )
The syntax in the KoP doc for the scope example, api://pulsar-cluster-1/.default, appears more like what I'd expect the audience parameter value to look like since audience is a resource identifier that is unique to the token. In the example in the KoP doc, https://broker.example.com is not something that would be unique to a token.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

No branches or pull requests

1 participant