Importancy of validate Issuer and audience in JWT, When app is the only token provider for itself

About

Asked 5/10, 2018 at 14:41 Answered 9/10, 2018 at 16:12

oauth jwt openid

Sounds like stupid question, But i cannot find/infer answer of following question from many articles.

Who is Issuer? (probably the token provider we trust. Like "Google, Faceboock, etc" and our site accepts tokens from theme).
Who is Audience?
Should i validate these two if i don't use OAuth and OpenID? I mean, Are they only used for 3rd-party authentication/authorization (because my site is the only issuer of my own tokens)?
What risk should i take if i don't validate these two, when my site don't use 3rd-parties to authenticate and authorize?

Nonbelligerent answered 5/10, 2018 at 14:41 Comment(0)

yes, the issuer is the Provider of the token
the Client i.e. the recipient in OpenID Connect, the Resource Server in OAuth 2.0
if a JWT has an audience, the recipient should validate that it is the audience
someone uses a token that was issued for a different service/API (e.g. API B) against your service/API (e.g. API A)

Drugstore answered 9/10, 2018 at 16:12 Comment(2)

The word "Client" is confusing in 2. It should be "Resource Server" which is the receiving party. Client may refer to the API client that is trying to use the token to access resources. – Gonzales 3/5, 2020 at 4:42

updated the answer to include OAuth vs. OIDC – Drugstore 23/12, 2021 at 7:28

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags