Workaround for Azure integration when private_key_jwt is used as auth method

[mciocan]

Hello @panva ,

We have an integration with Microsoft Azure and the authorization code flow is failing with "Number of audience values in the provided client credential exceed maximum allowed. 2 audience values provided maximum allowed is 1" - Similar issue

Our setup:

const issuer = await Issuer.discover(config.issuer + '/.well-known/openid-configuration');

const client = new issuer.Client({
	client_id: config.clientId,
	token_endpoint_auth_method: 'private_key_jwt'
}, JWKS);

Starting with versions greater than 4.5.1, the audience computed in client assertion is a set containing the issuer, token endpoint and mTLS token endpoint.

Is possible to filter the client assertion audience as a workaround to different provider implementations?

const issuer = await Issuer.discover(config.issuer + '/.well-known/openid-configuration');

const client = new issuer.Client({
	client_id: config.clientId,
	token_endpoint_auth_method: 'private_key_jwt',
        client_assertion_audience_filter: ()=> audience === issuer.issuer;
}, JWKS);

and on lib/helpers/client.js#L104 to use the filter function defined above

...
      const audience = [
        ...new Set(
          [
            this.issuer.issuer,
            this.issuer.token_endpoint,
            this.issuer[`${endpoint}_endpoint`],
            mTLS && this.issuer.mtls_endpoint_aliases
              ? this.issuer.mtls_endpoint_aliases.token_endpoint
              : undefined,
          ].filter( this.client_assertion_audience_filter || Boolean),
        ),
      ];
...

I can create a PR if you think it's a valid ideea!

Thank you!

[panva]

You can just use the existing clientAssertionPayload option on the methods that trigger an authenticated request.

[mciocan]

Sorry about that 😞
Next time I'll check the docs more carefully!

Now the flow is working with the solution you provided!

Thank you so much for this project (and jose and oidc-provider ❤️ )

[panva]

You're welcome. Please consider asking your company to sponsor the projects.

[mciocan]

I've made a personal donation. It's a little bit more complicated with my company.

Thank you again ❤️