The audience of the ID token is the web app (or it can also have the token endpoint - in case of the JWT grant type) - the audience of the access token is the API (or where it will be used by the web app).. so those can be two different values..
This [1] is a good way we should consider implementing - to request an access token for a given audience.. [1]: https://tools.ietf.org/id/draft-tschofenig-oauth-audience-00.html Thanks & regards, -Prabath On Mon, Aug 21, 2017 at 11:02 PM, Gayan Gunawardana <[email protected]> wrote: > According to OpenID connect specification [1] "aud" value is client id > with identifiers for other audiences. > > { > "iss": "https://server.example.com";, > "sub": "24400320", > "aud": "s6BhdRkqt3", > "nonce": "n-0S6_WzA2Mj", > "exp": 1311281970, > "iat": 1311280970, > "auth_time": 1311280969, > "acr": "urn:mace:incommon:iap:silver" > } > > But in token introspection "aud" value is more like service provider URL > with identifiers for other audiences. > > { > "active": true, > "client_id": "l238j323ds-23ij4", > "username": "jdoe", > "scope": "read write dolphin", > "sub": "Z5O3upPC88QrAjx00dis", > "aud": "https://protected.example.net/resource";, > "iss": "https://server.example.com/";, > "exp": 1419356238, > "iat": 1419350238, > "extension_field": "twenty-seven" > } > > Can we have different Audience values for token introspection response and > ID Token ? If not we can have both as Audience values. > > [1] http://openid.net/specs/openid-connect-core-1_0.html#IDToken > [2] https://tools.ietf.org/html/rfc7662#section-2.2 > > Thanks, > Gayan > > -- > Gayan Gunawardana > Senior Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
