Add audience parameter to OAuth 2

Closes https://feedback.yaak.app/p/how-do-i-send-an-audience-using-oauth2
2026-04-20 07:41:22 +02:00 · 2025-05-16 07:17:22 -07:00
parent 8c0f889dd2
commit 9615d3e29b
6 changed files with 26 additions and 0 deletions
--- a/plugins/auth-oauth2/src/grants/authorizationCode.ts
+++ b/plugins/auth-oauth2/src/grants/authorizationCode.ts
@@ -19,6 +19,7 @@ export async function getAuthorizationCode(
    redirectUri,
    scope,
    state,
+    audience,
    credentialsInBody,
    pkce,
  }: {
@@ -29,6 +30,7 @@ export async function getAuthorizationCode(
    redirectUri: string | null;
    scope: string | null;
    state: string | null;
+    audience: string | null;
    credentialsInBody: boolean;
    pkce: {
      challengeMethod: string | null;
@@ -53,6 +55,7 @@ export async function getAuthorizationCode(
  if (redirectUri) authorizationUrl.searchParams.set('redirect_uri', redirectUri);
  if (scope) authorizationUrl.searchParams.set('scope', scope);
  if (state) authorizationUrl.searchParams.set('state', state);
+  if (audience) authorizationUrl.searchParams.set('audience', audience);
  if (pkce) {
    const verifier = pkce.codeVerifier || createPkceCodeVerifier();
    const challengeMethod = pkce.challengeMethod || DEFAULT_PKCE_METHOD;
@@ -95,6 +98,7 @@ export async function getAuthorizationCode(
          clientId,
          clientSecret,
          scope,
+          audience,
          credentialsInBody,
          params: [
            { name: 'code', value: code },
--- a/plugins/auth-oauth2/src/grants/clientCredentials.ts
+++ b/plugins/auth-oauth2/src/grants/clientCredentials.ts
@@ -10,12 +10,14 @@ export async function getClientCredentials(
    clientId,
    clientSecret,
    scope,
+    audience,
    credentialsInBody,
  }: {
    accessTokenUrl: string;
    clientId: string;
    clientSecret: string;
    scope: string | null;
+    audience: string | null;
    credentialsInBody: boolean;
  },
 ) {
@@ -29,6 +31,7 @@ export async function getClientCredentials(
  const response = await getAccessToken(ctx, {
    grantType: 'client_credentials',
    accessTokenUrl,
+    audience,
    clientId,
    clientSecret,
    scope,
--- a/plugins/auth-oauth2/src/grants/implicit.ts
+++ b/plugins/auth-oauth2/src/grants/implicit.ts
@@ -11,6 +11,7 @@ export function getImplicit(
    redirectUri,
    scope,
    state,
+    audience,
  }: {
    authorizationUrl: string;
    responseType: string;
@@ -18,6 +19,7 @@ export function getImplicit(
    redirectUri: string | null;
    scope: string | null;
    state: string | null;
+    audience: string | null;
  },
 ) :Promise<AccessToken> {
  return new Promise(async (resolve, reject) => {
@@ -34,6 +36,7 @@ export function getImplicit(
    if (redirectUri) authorizationUrl.searchParams.set('redirect_uri', redirectUri);
    if (scope) authorizationUrl.searchParams.set('scope', scope);
    if (state) authorizationUrl.searchParams.set('state', state);
+    if (audience) authorizationUrl.searchParams.set('audience', audience);
    if (responseType.includes('id_token')) {
      authorizationUrl.searchParams.set('nonce', String(Math.floor(Math.random() * 9999999999999) + 1));
    }
--- a/plugins/auth-oauth2/src/grants/password.ts
+++ b/plugins/auth-oauth2/src/grants/password.ts
@@ -13,6 +13,7 @@ export async function getPassword(
    username,
    password,
    credentialsInBody,
+    audience,
    scope,
  }: {
    accessTokenUrl: string;
@@ -21,6 +22,7 @@ export async function getPassword(
    username: string;
    password: string;
    scope: string | null;
+    audience: string | null;
    credentialsInBody: boolean;
  },
 ): Promise<AccessToken> {
@@ -40,6 +42,7 @@ export async function getPassword(
    clientId,
    clientSecret,
    scope,
+    audience,
    grantType: 'password',
    credentialsInBody,
    params: [