The aud claim should be the "application" or "resource server" that the token would be used with, neither the authorization server nor the client that receives the token should be the value.
On Fri, Jul 15, 2022 at 7:27 AM Janak Amarasena <janakama...@gmail.com> wrote: > Hi, > > I am sending this email to clarify something I read in the JSON Web Token > (JWT) Profile for OAuth 2.0 Access Tokens specification(rfc9068). > > Regarding the “aud” claim in the access token the specification mentions > that: > (https://datatracker.ietf.org/doc/html/rfc9068#section-3) > > "If the request does not include a "resource" parameter, the authorization > server MUST use a default resource indicator in the "aud" claim. If a > "scope" parameter is present in the request, the authorization server > SHOULD use it to infer the value of the default resource indicator to be > used in the "aud" claim." > > It's not quite clear what the default resource indicator should usually > be. My initial thoughts were that it should either be the authorization > server or the client application. However, adding the client application as > the default audience feels a bit counter intuitive as the client > application would not generally consume the access token itself, but rather > use it to access a resource. > > Best Regards, > Janak Amarasena > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
