Client ID or Multiple Audiences In JSON Web Token
Asked Answered
S

1

10

I am implementing OAuth 2.0 with JWT in my application and am having trouble deciding what to set as my aud claim as. A user will "login" to my client via my authentication server to gain access to my API (resource) server. I want my tokens to only be valid for use with a specific client and specific API.

authentication flow

When logging in from my client, I include it't client_id in the request, but in most implementations I've found, the aud is set to that client_id. I'm leaning towards including a customer audience_id field in my login request and then setting the aud in the token to an array of the client_id and the audience_id, but that feels like it just means that that token is valid for both those audiences, which makes me think I should just add a custom claim called client to specifically state that this token was created for a specific client.

I have not come across any implementations online that include both a client_id and audience_id(s) in an OAuth login request, nor do I see a reserved claim for client in the spec.

Am I missing something here?

What is best practice for specifically stating a different client_id and audience_id in a JWT?

Sawtelle answered 14/8, 2015 at 15:41 Comment(0)
T
11

The audience of the JWT is the Resource Server as that is where the token will be processed, i.e. verified, inspected and acted upon. From RFC 7519, https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3:

The "aud" (audience) claim identifies the recipients that the JWT is
intended for. Each principal intended to process the JWT MUST
identify itself with a value in the audience claim.
[...]
The interpretation of audience values is generally application specific.
[...]

So best practice is that aud should identify the Resource Server.

The Client is only the presenter of the token and it is best practice (i.e. in OpenID Connect and some emerging OAuth 2.0 exension drafts) to use the azp (Authorized Presenter) for that claim. From http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken :

azp
OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party.
[...]

So best practice is that azp identifies the Client.

Thankful answered 14/8, 2015 at 16:6 Comment(2)
and then include an audience_id in the initial login request from the client indicating what audience they are requesting access to?Sawtelle
that relationship can indirectly be created using the scope concept (and request parameter); this allows for more flexibility than just a one-to-one mapping between scope and resource server; in general a scope models an access permission: a scope may map to a resource server but may also map to a particular resource protected by a resource server among others, or a collection of resource serversThankful

© 2022 - 2024 — McMap. All rights reserved.