How to specify audience for an OAuth2 access token?

Question

I am confused that there seems to be no standard way to specify the audience for an access token when sending an authorization request to an authorization server.

OAuth2 specifies access tokens as opaque strings; there is only one mention of 'audience' in the spec, to say that access tokens could be 'audience-restricted'. Many recent authorization server implementations seem to produce JWT access tokens, and JWT specifies the audience (aud) claim.

As far as I find: - Auth0 uses an 'audience' parameter - Connect2id uses a 'resource' parameter - Identity Server uses a fixed issuer-based value for 'aud' claim, and assumes that scopes are enough - however, this does not fit all use cases. - The excellent 'OAuth2 in Action' book shows an example with a resource server URI in the 'aud' claim, but doesn't say where it comes from.

So, how to get an access token for a specific audience (resource server, API,...) in a standard way?

Answer 1

I think you are right. There are a couple of guidelines available. The OAuth 2.0 Authorization Framework: Bearer Token Usage OAuth 2.0: Audience Information (draft-tschofenig-oauth-audience-00.txt)

OpenID connect a clear defined "aud" parameter as:

REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.

Answer 2

You mentioned the Tschofeniq draft in your comment on the accepted answer, but actually it looks like that doc is actually does support using the audience field:

The audience URI MUST be an absolute URI as defined by Section 4.3 of [3]. It MAY include an "application/x-www-form-urlencoded" formatted query component

In fact it speaks quite strongly that this step is important and that it should be done in exactly that manner:

Step (2): When the client interacts with the token endpoint to obtain an access token it MUST populate the newly defined audience parameter ...

So it seems Auth0 is probably on the right track with the direction they took. And as you pointed out in your comment, the aud field is for the response, not the request (common libraries like jsonwebtoken in NodeJs set fields like this (along with sub, jti, and iss) when you decode a JWT.

Answer 3

"Proposed Standard" way of requesting an Access Token for a specific Audience/API/Resource Server is by using the resource query parameter on the Authorization Request.

When the "resource" parameter is used in an authorization request to the authorization endpoint, it indicates the identity of the protected resource(s) to which access is being requested.

resource Indicates the target service or resource to which access is being requested. Its value MUST be an absolute URI

RFC8707: Resource Indicators for OAuth 2.0 https://datatracker.ietf.org/doc/html/rfc8707#section-2