-
Type: Investigation
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: OIDC DB Auth
-
None
Original Downstream Change Summary
As part of PM-3662, the server will start rejecting OIDC access tokens that contain audience claims where the value is an empty array, or an array of multiple strings. This behavior will be backported to 7.0 & 7.3.
Description of Linked Ticket
If a client presents an access token where the "aud" claim is an array containing more than one string, then the server should reject it.
- depends on
-
SERVER-86607 Reject access tokens with multiple audience claims
- Closed