I am implementing OAuth 2.0 with JWT in my application and am having trouble deciding what to set as my aud
claim as. A user will "login" to my client via my authentication server to gain access to my API (resource) server. I want my tokens to only be valid for use with a specific client and specific API.
When logging in from my client, I include it't client_id
in the request, but in most implementations I've found, the aud
is set to that client_id
. I'm leaning towards including a customer audience_id
field in my login request and then setting the aud
in the token to an array of the client_id
and the audience_id
, but that feels like it just means that that token is valid for both those audiences
, which makes me think I should just add a custom claim called client
to specifically state that this token was created for a specific client.
I have not come across any implementations online that include both a client_id
and audience_id
(s) in an OAuth login request, nor do I see a reserved claim for client
in the spec.
Am I missing something here?
What is best practice for specifically stating a different client_id
and audience_id
in a JWT?
audience_id
in the initial login request from the client indicating what audience they are requesting access to? – Sawtelle