Geek Answers Handbook

Client ID or multiple audiences in JSON Web Token

I am using OAuth 2.0 with JWT in my application and I am having trouble choosing what to install as my aud requirement. A user will access my client through my authentication server in order to access my API server (resource). I want my tokens to be valid only for use with a specific client and specific API.

authentication flow

When entering from my client, I include its client_id in the request, but in the more I found , the aud parameter is set to client_id . I tend to specify the audience_id client field in my login request and then set the aud token to the client_id and audience_id client_id , but it seems like it just means that this token is valid for both audiences , which makes me think that I should simply add a user requirement called client to specifically indicate that this token was created for a particular client.

I have not seen any of the online implementations that include both client_id and audience_id in the OAuth login request, and I do not see the reserved requirement for client in the specification .

Am I missing something?

What is best for specifying different client_id and audience_id in JWT?

+7
oauth jwt json-web-token
source share
1 answer

The JWT audience is a resource server, since a token will be processed there, that is, it is checked, verified and valid. From RFC 7519, https://tools.ietf.org/html/rfc7519#section-4.1.3 :

The statement "aud" (audience) indicates the recipients that the JWT is intended for. Every Leader Designed to Handle JWT MUST
identify with the value in the application of the audience.
[...]
The interpretation of audience values ​​is usually application-specific.
[...]

So it is best to use an aud resource server.

The client is the only token host, and it is best practice (that is, in OpenID Connect and some emerging OAuth 2.0 extension projects) to use azp (Authorized Host) for this application. From http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken :

azp
OPTIONAL. Authorized Party - the party to which the identifier token has been issued. If present, it MUST contain the OAuth 2.0 client identifier for this party. This requirement is required only when the ID token has one audience, and the audience is different from the party.
[...]

Thus, the best practice is that azp identifies the client.

+7
source share

More articles:


All Articles