Hi Hydra people! I’ve got a question on the client credentials flow when used with a custom domain. It seems the audience in the JWT we’re supplying has to be the non-CNAME, i.e. it has to be the actual project domain. Specifically:

token, err := jwt.NewBuilder().
		Claim("sub", "some_user").
		Issuer(issuer).
		Audience([]string{"https://[custom-domain]/oauth2/token"}).
		IssuedAt(time.Now()).
		JwtID(uuid.NewString()).
		Expiration(time.Now().Add(1 * time.Hour)).
		Build()

Fails with error:

The JWT in 'assertion' request parameter MUST contain an 'aud' (audience) claim containing a value 'https://[custom-domain]/oauth2/token' that identifies the authorization server as an intended audience.

Yet:

token, err := jwt.NewBuilder().
		Claim("sub", "some_user").
		Issuer(issuer).
		Audience([]string{"https://[Ory-project-domain]/oauth2/token"}).
		IssuedAt(time.Now()).
		JwtID(uuid.NewString()).
		Expiration(time.Now().Add(1 * time.Hour)).
		Build()

Works just fine. The custom domain is used throughout in the rest of my client code, including to access the

/oauth2/token

endpoint, i.e.

req, err := http.NewRequest(http.MethodPost, "https://[custom-domain]/oauth2/token", strings.NewReader(data.Encode()))

Any pro tips on how to have Hydra accept the custom domain as a valid audience here?

I think you need to change the issuer maybe?

Ah yes, we’ve done that already - this is set as the custom domain. In my example code above, that’s set as a constant, i.e.

const issuer = "https://[custom-domain]"

Maybe your client doesn’t allow the audience? Did you check how it is configured?

I’d had a crack at that. I’ve got:

https://[custom-domain]
https://[custom-domain]/oauth2/token

Configured against the OAuth2 client, but alas that didn’t do it

Could you create (maybe in a new project) a reproducible case and create an issue for it in the Ory Network? So that I can reproduce it?

Hum, could be tricky in a new project as I don’t have another paid account to assign a custom domain to I can set up everything except that bit though And create an issue … here?

here: https://github.com/ory/network/issues

Sorry for the delay! I was working on a work around first before getting around to submitting the ticket. But now at last: https://github.com/ory/network/issues/299 I haven’t included API key or client secret in the report, but I can supply those direct if you require And FYI if you’re interested in the work around: I lookup the canonical domain of the custom domain to use as the audience, thus hacking a workaround just ahead of making the request to Ory