I want to implement a more robust authentication service and jwt
is a big part of what I want to do, and I understand how to write the code, but I'm having a little trouble understanding the difference between the reserved iss
and aud
claims. I understand that the one defines the server that is issuing out the token and the one refers to the application that is intended for use. But the way I understand that is that my audience and issuer are the same thing myserver.com
is issuing the token so that people who come to myserver.com
can be authorized and authenticated. I guess I don't see the differentiation between the two claims, although I know there is one.
There was a good article written at msdn
on all of the reserved claims and that's where I got most confused because they had their issuer and audience completely different.
Security – Difference Between ‘aud’ and ‘iss’ in JWT
authenticationauthorizationjwtSecurity
Best Answer
These are intended for scenarios where you have a token issuing authority that is not the same as the application that is the intended recipient.
This may not be different for your application.
But consider a large scaled application. You might have an OAuth or SSO server that's issuing the certificates, and an application that wants a token that shows the SSO server has checked the user's credentials and has approved the user to use the application. In that case, you might have a token with
"aud": "aud.example.com"
and"iss": "sso.example.com"
.