Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Client ID or Multiple Audiences In JSON Web Token

Tags:

oauth

oauth-2.0

jwt

json-web-token

I am implementing OAuth 2.0 with JWT in my application and am having trouble deciding what to set as my aud claim as. A user will "login" to my client via my authentication server to gain access to my API (resource) server. I want my tokens to only be valid for use with a specific client and specific API.

authentication flow

When logging in from my client, I include it't client_id in the request, but in most implementations I've found, the aud is set to that client_id. I'm leaning towards including a customer audience_id field in my login request and then setting the aud in the token to an array of the client_id and the audience_id, but that feels like it just means that that token is valid for both those audiences, which makes me think I should just add a custom claim called client to specifically state that this token was created for a specific client.

I have not come across any implementations online that include both a client_id and audience_id(s) in an OAuth login request, nor do I see a reserved claim for client in the spec.

Am I missing something here?

What is best practice for specifically stating a different client_id and audience_id in a JWT?

like image 311
Greg Avatar asked Aug 14 '15 15:08

Greg

Video Answer

1 Answers

The audience of the JWT is the Resource Server as that is where the token will be processed, i.e. verified, inspected and acted upon. From RFC 7519, https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3:

The "aud" (audience) claim identifies the recipients that the JWT is
intended for. Each principal intended to process the JWT MUST
identify itself with a value in the audience claim.
[...]
The interpretation of audience values is generally application specific.
[...]

So best practice is that aud should identify the Resource Server.

The Client is only the presenter of the token and it is best practice (i.e. in OpenID Connect and some emerging OAuth 2.0 exension drafts) to use the azp (Authorized Presenter) for that claim. From http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken :

azp
OPTIONAL. Authorized party - the party to which the ID Token was issued. If present, it MUST contain the OAuth 2.0 Client ID of this party. This Claim is only needed when the ID Token has a single audience value and that audience is different than the authorized party.
[...]

So best practice is that azp identifies the Client.

like image 79
Hans Z. Avatar answered Oct 19 '22 15:10

Hans Z.
Sign in to Comment

Related questions

What is XOauth and its relationship with OAuth?
Whether there is any Php client for Oauth2? [closed]
Instagram Auth Broken?
Has anybody implemented 2 Legged OAuth using DNOA?
401 Error "oauth_problem=nonce_used" Adding Products To Magento w/ Rest API
Google voice PHP OAuth 2.0
How to use Twitter API from client side?
Using both OAuth and Basic Auth in Asp.Net Web Api with Owin
Laravel 5.4 OAuth with Dingo internal requests
OAuth 2.0 -- What's new? [closed]
Best way to handle authentication on .NET WCF Web API
But Seriously.... Example of ASP.NET WebAPI implementation including OAuth
Is it possible to get phone number via Google oAuth2?
How can I connect Aweber to my Rails app using OAuth?
Google picker auth popup is being blocked
Access private images with <img> tag in REST with Spring security & JWT
Token type in the Authorization header is invalid,ebay api
Best Learning Resource for OAuth
How to give user JWT token after OAuth provider redirect?
Android: Google SSO - OAuth or AccountManager? Or both?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!