20

I want to implement a more robust authentication service and jwt is a big part of what I want to do, and I understand how to write the code, but I'm having a little trouble understanding the difference between the reserved iss and aud claims. I understand that the one defines the server that is issuing out the token and the one refers to the application that is intended for use. But the way I understand that is that my audience and issuer are the same thing myserver.com is issuing the token so that people who come to myserver.com can be authorized and authenticated. I guess I don't see the differentiation between the two claims, although I know there is one.
There was a good article written at msdn on all of the reserved claims and that's where I got most confused because they had their issuer and audience completely different.

Laiv
  • 14,283
  • 1
  • 31
  • 69
Adam McGurk
  • 381
  • 1
  • 2
  • 9
  • You might be interested [JWT RFC-7519](https://tools.ietf.org/html/rfc7519#section-4.1) – Laiv Sep 05 '17 at 05:47

1 Answers1

19

These are intended for scenarios where you have a token issuing authority that is not the same as the application that is the intended recipient.

This may not be different for your application.

But consider a large scaled application. You might have an OAuth or SSO server that's issuing the certificates, and an application that wants a token that shows the SSO server has checked the user's credentials and has approved the user to use the application. In that case, you might have a token with "aud": "aud.example.com" and "iss": "sso.example.com".

Paul
  • 3,277
  • 1
  • 17
  • 16
  • Oh I see. It was a misunderstanding on my part because I thought two things: 1. You had to have both "iss" and "aud" as part of the claims. 2. They had to be unique to each other. This obviously is not the truth. So, if you have an application such as mine, would you even include those two claims in your `jwt` or leave them out since they would be identical? – Adam McGurk Sep 05 '17 at 02:01
  • You could certainly leave them out and add them later when you have a reason to use it – Paul Sep 05 '17 at 02:03
  • would `aud` sometimes be a third party or not? – Andy May 05 '20 at 18:07
  • I guess I'm also confused why scopes wouldn't be used for indicating that the user is approved for a given application. – Andy May 05 '20 at 18:08
  • 1
    Yes, `aud` can be a single value or an array. It's supposed to match on each intended recipient or processor. Let's say you're a user (or application) that wants to call api.example.com to run a query. If api.example.com trusts some third party auth service (e.g. Auth0) to handle authentication, then that auth service should populate `aud` with 'api.example.com', and the app at 'api.example.com' should verify that's the case. Scopes are more granular than audience, and can be included in the payload as well. – Paul May 06 '20 at 03:48