IdentityServer on MVC : What is Audience refering in AddJwtBearer

Asked 31/7, 2018 at 21:55 Answered 22/12, 2022 at 18:31

c#asp.net-mvc microservices identityserver4 audience

I already have the access token working with my application in my api gateway.

var identityUrl = Configuration.GetValue<string>("urls:identity");
        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;

        }).AddJwtBearer(options =>
        {
            options.Authority = Configuration.GetValue<string>("IdentityUrlExternal");
            options.RequireHttpsMetadata = false;
            options.Audience = "api1";              
            options.Events = new JwtBearerEvents()

What is the audience option in AddJwtBearer referring to? Is that refer to ClientId or the ApiScope? At the moment, I was based on the scope of my mobile application setup to communicate with the API gateway. If I changed to something e.g. a client id sent from mobile (ro.client), the authorized API function will not be able access it.

I would like to get a clear understand is my setting correct.

In addition, how do add Authorized Scope in the ASP.net MVC core project under the controller?

Fredrika answered 31/7, 2018 at 21:55 Comment(4)

I think IdentityServer4 documentation is obvious docs.identityserver.io/en/release/topics/apis.html – Emelina 1/8, 2018 at 6:2

Sorry I think I missed that part of my reading. Thanks – Fredrika 1/8, 2018 at 22:43

I don't think its obvious. What is the name of an API resource? – Dollie 24/9, 2018 at 9:11

That link is no longer valid. – Rounders 16/5, 2019 at 2:53

The following link will take you to the explanation: http://docs.identityserver.io/en/latest/topics/apis.html

The ApiName property checks if the token has a matching audience (or short aud) claim.

In IdentityServer you can also sub-divide APIs into multiple scopes. If you need that granularity you can use the ASP.NET Core authorization policy system to check for scopes.

Scholasticism answered 22/2, 2019 at 10:57 Comment(1)

It doesn't answer the question. This docs explain further: "When using the scope-only model, no aud (audience) claim will be added to the token since this concept does not apply. If you need an aud claim, you can enable the EmitStaticAudienceClaim setting on the options. " and also "...all the requested scope and audience combination get merged into a single access token". So, the answer is: "aud" is a claim with similar functions as scopes and for the same purposes. Choice of scopes and/or aud claims seems more depends on a client or have historical reasons, rather has security implications – Affettuoso 21/12, 2022 at 16:28

An audience is a unique identifier for an issued token. The audience value could be either the client id for an id token or an API for an access token.

In your project, you can communicate with api1 by adding it to the scope of your application.

Electro answered 22/12, 2022 at 18:31 Comment(0)

Recommended topics

Hot tags