Support audience parameter for the introspection endpoint #845
Description
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe your problem
This is a followup to discussion in this issue. I am for now opening an issue to not forget, I might do a PR in the future.
If you are using introspection endpoint to validate tokens (to check if they should be accepted) then you should also pass audience parameter to check that the given token is for expected audience. This solves the problem of one using access token meant for one audience to gain access to another audience (both tokens are valid, just audience is different).
Describe your ideal solution
Introspection endpoint should also accept audience parameter which would force access tokens passed to it to match the expected audience.
Workarounds or alternatives
After calling introspection endpoint, the caller can manually inspect if the audience in the response matches expected audience, but that is error prone.
Version
latest master branch
Additional Context
No response