aud claim and its customization

By: Maxim Samoussenko user 17 Dec 2018 at 10:35 a.m. CST

3 Responses
Maxim Samoussenko gravatar
Spring Security treats `aud` claim as a resource identifier (something that allows resource server to accept or reject the token). RFC 7519 provides similar definition: > The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. In the general case, the "aud" value is an array of case- sensitive strings, each containing a StringOrURI value. In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value. The interpretation of audience values is generally application specific. Use of this claim is OPTIONAL. At the same time it seems that `gluu` would fill this claim with client id. At lease in my case the JWT looks like this: ``` { "iss": "https://auth.mycompany.com", "aud": "@!2B8A.FE82.4F52.84B6!0001!23E4.EB75!0008!9C14.0A83.C446.4A31", "scope": [], "client_id": "@!2B8A.FE82.4F52.84B6!0001!23E4.EB75!0008!9C14.0A83.C446.4A31", "username": "username", "token_type": "bearer", "exp": 1545063051, "iat": 1545062751, "sub": "i_SuqwzATBJKnABeuxUX5b510K2eXysq7tRjlJ68hKE" } ``` Two questions from my side: 1. What is the purpose/reason of providing client id in `aud` claim? 2. Is there a way to customize what `gluu` would put to `aud` claim? I scanned the relative sections in documentation but was not able to find such a way. Thanks.
Ubuntu 18.0
closed

Answers

By Michael Schwartz Account Admin 17 Dec 2018 at 11:06 a.m. CST

Copy
Michael Schwartz gravatar
In 3.1.4, the `aud` is always the `client_id`. The client id generically represents the resource (I e. the application that requested the token). In version 4.0 we will offer more flexibility about how to populate the value for `aud`. In 3.1.5, you could use a token introspection interception script (new feature).

By Maxim Samoussenko user 18 Dec 2018 at 2:09 a.m. CST

Copy
Maxim Samoussenko gravatar
**Michael,** thank you for explanation. I will look forward the future versions in order to work around this issue. As for the thesis that > The client id generically represents the resource (I e. the application that requested the token) I can not completely agree. The client ID represents the application that requested the token but not the application that owns the resource (Resource Server). Single Resource Server could be used by multiple clients thus it will have to know all possible client IDs in order to accept or reject the token which tightly couples Resource server and its clients.

By Maxim Samoussenko user 18 Dec 2018 at 2:19 a.m. CST

Copy
Maxim Samoussenko gravatar
I will also put this link here for reference (discussion on the subject on SO) https://stackoverflow.com/questions/28418360/jwt-json-web-token-audience-aud-versus-client-id-whats-the-difference

Post an answer