Hi, The aud claim in id token is used to identify to which parties the JWT is intended for. If the client application needs to process the JWT then it should identify itself as a value in the audiences claim. Therefore it is valid and rational to have the client ID in the audience claim.
Currently, it is possible to configure the audiences for OpenID Connect via identity.xml but it will get applied globally in all SPs. We are going to support multiple audience configuration in IS 5.5.0 via the UI similar to how its done in SAML. As an improvement to this we can include the client identifier in the audience claim as well. Thanks, Sathya On Wed, Aug 23, 2017 at 2:09 PM, Prabath Siriwardena <[email protected]> wrote: > The audience of the ID token is the web app (or it can also have the token > endpoint - in case of the JWT grant type) - the audience of the access > token is the API (or where it will be used by the web app).. so those can > be two different values.. > > This [1] is a good way we should consider implementing - to request an > access token for a given audience.. > > [1]: https://tools.ietf.org/id/draft-tschofenig-oauth-audience-00.html > > Thanks & regards, > -Prabath > > > > On Mon, Aug 21, 2017 at 11:02 PM, Gayan Gunawardana <[email protected]> > wrote: > >> According to OpenID connect specification [1] "aud" value is client id >> with identifiers for other audiences. >> >> { >> "iss": "https://server.example.com";, >> "sub": "24400320", >> "aud": "s6BhdRkqt3", >> "nonce": "n-0S6_WzA2Mj", >> "exp": 1311281970, >> "iat": 1311280970, >> "auth_time": 1311280969, >> "acr": "urn:mace:incommon:iap:silver" >> } >> >> But in token introspection "aud" value is more like service provider URL >> with identifiers for other audiences. >> >> { >> "active": true, >> "client_id": "l238j323ds-23ij4", >> "username": "jdoe", >> "scope": "read write dolphin", >> "sub": "Z5O3upPC88QrAjx00dis", >> "aud": "https://protected.example.net/resource";, >> "iss": "https://server.example.com/";, >> "exp": 1419356238, >> "iat": 1419350238, >> "extension_field": "twenty-seven" >> } >> >> Can we have different Audience values for token introspection response >> and ID Token ? If not we can have both as Audience values. >> >> [1] http://openid.net/specs/openid-connect-core-1_0.html#IDToken >> [2] https://tools.ietf.org/html/rfc7662#section-2.2 >> >> Thanks, >> Gayan >> >> -- >> Gayan Gunawardana >> Senior Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: [email protected] >> Mobile: +94 (71) 8020933 >> > > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 <(650)%20625-7950> > > http://facilelogin.com > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Sathya Bandara Software Engineer WSO2 Inc. http://wso2.com Mobile: (+94) 715 360 421 <+94%2071%20411%205032> <+94%2071%20411%205032>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
