JWT (Json Web Token) Audience “aud” versus Client_Id – What’s the difference?

by

As it turns out, my suspicions were right. The audience aud claim in a JWT is meant to refer to the Resource Servers that should accept the token.

As this post simply puts it:

The audience of a token is the intended recipient of the token.

The audience value is a string — typically, the base address of the
resource being accessed, such as https://contoso.com.

The client_id in OAuth refers to the client application that will be requesting resources from the Resource Server.

The Client app (e.g. your iOS app) will request a JWT from your Authentication Server. In doing so, it passes it’s client_id and client_secret along with any user credentials that may be required. The Authorization Server validates the client using the client_id and client_secret and returns a JWT.

The JWT will contain an aud claim that specifies which Resource Servers the JWT is valid for. If the aud contains www.myfunwebapp.com, but the client app tries to use the JWT on www.supersecretwebapp.com, then access will be denied because that Resource Server will see that the JWT was not meant for it.

More Related Contents:

  1. How is OAuth 2 different from OAuth 1?
  2. How to validate an OAuth 2.0 access token for a resource server?
  3. What is the difference between the OAuth Authorization Code and Implicit workflows? When to use each one?
  4. Why do access tokens expire?
  5. What are the main differences between JWT and OAuth authentication?
  6. Is there any JSON Web Token (JWT) example in C#?
  7. OAuth 2.0: Benefits and use cases — why?
  8. What is the purpose of the implicit grant authorization type in OAuth 2?
  9. Difference between OAuth 2.0 “state” and OpenID “nonce” parameter? Why state could not be reused?
  10. Should jwt web token be encrypted?
  11. OAuth 2.0 with Google Analytics API v3
  12. gapi.auth.signOut(); not working I’m lost
  13. LinkedIn OAuth2: “Unable to verify access token”
  14. OAuth Authorization vs Authentication
  15. Why Does OAuth v2 Have Both Access and Refresh Tokens?
  16. Can I really not ship open source with Client ID? [closed]
  17. CORS issue while making an Ajax request for oauth2 access token
  18. How to validate Azure AD security token?
  19. Why is there an “Authorization Code” flow in OAuth2 when “Implicit” flow works so well?
  20. What is the difference between Google Identity Toolkit, Google OAuth, Firebase Auth and Google+ sign in
  21. Spring OAuth redirect_uri not using https
  22. Sign in with Google temporarily disabled for this app
  23. Verifying Auth0 JWT throws invalid algorigthm
  24. Disable checkboxes on Google consent screen
  25. What exactly is OAuth (Open Authorization)?
  26. Twitter API – Logout
  27. client secret in OAuth 2.0
  28. where is devise implementation of “authenticate_user!” method?
  29. Refresh token using Omniauth-oauth2 in Rails application
  30. Netsuite OAuth Not Working

Leave a Comment