JWT access token
The OIDC specification does not require access tokens to be JWTs, but there seems to be a strong convention among the OIDC ecosystem that access token could be JWTs. This have been finally standardized by RFC9068.
I suggest making this optional for canaille users, and let them choose which claims to set in the token.
This can be done by editing generate_access_token so it reuses some of the mechanisms in generate_id_token.
def generate_access_token(client, grant_type, user, scope):
audience = [Client.get(dn).client_id for dn in client.audience]
return generate_id_token(
{}, generate_user_info(user, scope), aud=audience, **get_jwt_config(grant_type)
)
LDAP refuses to save tokens with a length longer than 228 characters at the moment, maybe we have hit the maximum length for dns. This would be a problem as JWT are quite longs, and the access token string is used in the DN.
MDB_BAD_VALSIZE: Unsupported size of key/DB name/data, or wrong DUPFIXED size (-30781)
Edited by Éloi Rivard