I want to implement a more robust authentication service and jwt is a big part of what I want to do, and I understand how to write the code, but I'm having a little trouble understanding the difference between the reserved iss and aud claims. I understand that the one defines the server that is issuing out the token and the one refers to the application that is intended for use. But the way I understand that is that my audience and issuer are the same thing myserver.com is issuing the token so that people who come to myserver.com can be authorized and authenticated. I guess I don't see the differentiation between the two claims, although I know there is one.
There was a good article written at msdn on all of the reserved claims and that's where I got most confused because they had their issuer and audience completely different.
- You might be interested JWT RFC-7519Laiv– Laiv2017-09-05 05:47:44 +00:00Commented Sep 5, 2017 at 5:47
Add a comment |
1 Answer
These are intended for scenarios where you have a token issuing authority that is not the same as the application that is the intended recipient.
This may not be different for your application.
But consider a large scaled application. You might have an OAuth or SSO server that's issuing the certificates, and an application that wants a token that shows the SSO server has checked the user's credentials and has approved the user to use the application. In that case, you might have a token with "aud": "aud.example.com" and "iss": "sso.example.com".
- Oh I see. It was a misunderstanding on my part because I thought two things: 1. You had to have both "iss" and "aud" as part of the claims. 2. They had to be unique to each other. This obviously is not the truth. So, if you have an application such as mine, would you even include those two claims in your
jwtor leave them out since they would be identical?Adam McGurk– Adam McGurk2017-09-05 02:01:56 +00:00Commented Sep 5, 2017 at 2:01 - You could certainly leave them out and add them later when you have a reason to use itPaul– Paul2017-09-05 02:03:14 +00:00Commented Sep 5, 2017 at 2:03
- would
audsometimes be a third party or not?Andy– Andy2020-05-05 18:07:18 +00:00Commented May 5, 2020 at 18:07 - I guess I'm also confused why scopes wouldn't be used for indicating that the user is approved for a given application.Andy– Andy2020-05-05 18:08:47 +00:00Commented May 5, 2020 at 18:08
- 1Yes,
audcan be a single value or an array. It's supposed to match on each intended recipient or processor. Let's say you're a user (or application) that wants to call api.example.com to run a query. If api.example.com trusts some third party auth service (e.g. Auth0) to handle authentication, then that auth service should populateaudwith 'api.example.com', and the app at 'api.example.com' should verify that's the case. Scopes are more granular than audience, and can be included in the payload as well.Paul– Paul2020-05-06 03:48:30 +00:00Commented May 6, 2020 at 3:48