🐛 Fix oidc token aud

2025-08-25 23:17:40 +08:00
parent c30946daf6
commit 5a44952b27
1 changed files with 2 additions and 4 deletions
--- a/DysonNetwork.Pass/Auth/OidcProvider/Services/OidcProviderService.cs
+++ b/DysonNetwork.Pass/Auth/OidcProvider/Services/OidcProviderService.cs
@@ -158,14 +158,13 @@ public class OidcProviderService(
        {
            new(JwtRegisteredClaimNames.Iss, _options.IssuerUri),
            new(JwtRegisteredClaimNames.Sub, session.AccountId.ToString()),
-            new(JwtRegisteredClaimNames.Aud, client.Id.ToString()),
+            new(JwtRegisteredClaimNames.Aud, client.Slug),
            new(JwtRegisteredClaimNames.Iat, now.ToUnixTimeSeconds().ToString(), ClaimValueTypes.Integer64),
            new(JwtRegisteredClaimNames.Exp,
                now.Plus(Duration.FromSeconds(_options.AccessTokenLifetime.TotalSeconds)).ToUnixTimeSeconds()
                    .ToString(), ClaimValueTypes.Integer64),
            new(JwtRegisteredClaimNames.AuthTime, session.CreatedAt.ToUnixTimeSeconds().ToString(),
                ClaimValueTypes.Integer64),
-            new(JwtRegisteredClaimNames.Aud, client.Id)
        };

        // Add nonce if provided (required for implicit and hybrid flows)
@@ -301,11 +300,10 @@ public class OidcProviderService(
                new Claim(JwtRegisteredClaimNames.Jti, session.Id.ToString()),
                new Claim(JwtRegisteredClaimNames.Iat, now.ToUnixTimeSeconds().ToString(),
                    ClaimValueTypes.Integer64),
-                new Claim(JwtRegisteredClaimNames.Aud, client.Id)
            ]),
            Expires = expiresAt.ToDateTimeUtc(),
            Issuer = _options.IssuerUri,
-            Audience = client.Id
+            Audience = client.Slug
        };

        // Try to use RSA signing if keys are available, fall back to HMAC