Web Agents 2023.11.2

Disable Audience Claim Validation

The claims to validate in the ID token containing the end user’s session:

  • 0: Validate the aud and nonce claim.

  • 1: Validate the nonce claim; don’t validate the aud claim.

During an authentication request, AM creates an ID token that contains, among others, the end user’s session, and the aud claim. The aud claim is set to the agent profile of the agent that made the request. When AM returns the ID token to the end user’s user-agent, it appends a nonce parameter to the request, which is a one-time-usable random string that is understood by both AM and the agent that made the authentication request.

When the agent receives a request to access a protected resource, the agent checks that the audience (the aud claim) of the ID token and the value of the nonce are appropriate. For example, it checks that the value of the aud claim is the name of its own agent profile.

In environments where several agents protect the same application, this validation poses a problem; even if the ID token is valid and contains a valid session, an agent cannot validate a ID token created for a different agent because the audience would not match. Therefore, the agent redirects the end user to authenticate again.

For security reasons, agents should validate as many claims in the ID token as possible.

Default: 0

Property name

com.forgerock.agents.jwt.aud.disable
  Introduced in Web Agent 5.7

Function

Profile

Type

Integer

Bootstrap property

No

Required property

No

Restart required

No

AM console

Tab: Global

Title: Disable Audience Claim Validation