How to specify audience for an OAuth2 access token?

14
votes

I am confused that there seems to be no standard way to specify the audience for an access token when sending an authorization request to an authorization server.

OAuth2 specifies access tokens as opaque strings; there is only one mention of 'audience' in the spec, to say that access tokens could be 'audience-restricted'. Many recent authorization server implementations seem to produce JWT access tokens, and JWT specifies the audience (aud) claim.

As far as I find: - Auth0 uses an 'audience' parameter - Connect2id uses a 'resource' parameter - Identity Server uses a fixed issuer-based value for 'aud' claim, and assumes that scopes are enough - however, this does not fit all use cases. - The excellent 'OAuth2 in Action' book shows an example with a resource server URI in the 'aud' claim, but doesn't say where it comes from.

So, how to get an access token for a specific audience (resource server, API,...) in a standard way?

2
oauthoauth-2.0jwtaccess-token
You are correct in so far as Auth0 chose to implement their solution such that audience is a parameter sent with an auth/authz request. You can additionally add the scope attributes requested to the scope param too - eg. scope: read:books - it is not adhering to a strict standard since none exists spec wise. Auth0 has the notion of APIs (resource APIs) whereby the identifier is the audience a client can use as the audience value, and you can setup specific scopes on that resource API.arcseldon

2 Answers

8
votes

I think you are right. There are a couple of guidelines available. The OAuth 2.0 Authorization Framework: Bearer Token Usage OAuth 2.0: Audience Information (draft-tschofenig-oauth-audience-00.txt)

OpenID connect a clear defined "aud" parameter as:

REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.

1
votes

You mentioned the Tschofeniq draft in your comment on the accepted answer, but actually it looks like that doc is actually does support using the audience field:

The audience URI MUST be an absolute URI as defined by Section 4.3 of [3]. It MAY include an "application/x-www-form-urlencoded" formatted query component

In fact it speaks quite strongly that this step is important and that it should be done in exactly that manner:

Step (2): When the client interacts with the token endpoint to obtain an access token it MUST populate the newly defined audience parameter ...

So it seems Auth0 is probably on the right track with the direction they took. And as you pointed out in your comment, the aud field is for the response, not the request (common libraries like jsonwebtoken in NodeJs set fields like this (along with sub, jti, and iss) when you decode a JWT.