shakedmanes
commented
6 years ago Solution:
As answered here, there's some draft which talking a little bit about adding special parameter for the audience. Also found in Auth0 API that they require audience parameter in their flows (Authorization Code, Client Credentials etc...). For that reasons, we decide to add the audience parameter inside our flows, to specify the audience the token will be generated for.
Also adding to this, we can make standard for resource servers as said in this specification and as said here.
Question:
As part of changing the type of the access token from opaque string to JWT, we specify some claims on the JWT as such as
'aud'claim. The'aud'claim specify the audience of the access token - the audience means who exactly the token was generated for. (In most cases, a resource server)Currently when we generate access token in any OAuth2 flow, we don't have a way to infer or know for which audience the token should generate for.
We somehow need to decide (and maybe find a standard for that approach) how to get information about which audience the token will be generated for.