I am confused that there seems to be no standard way to specify the audience for an access token when sending an authorization request to an authorization server.
OAuth2 specifies access tokens as opaque strings; there is only one mention of 'audience' in the spec, to say that access tokens could be 'audience-restricted'.
Many recent authorization server implementations seem to produce JWT access tokens, and JWT specifies the audience (aud) claim.
As far as I find:
– Auth0 uses an 'audience' parameter
– Connect2id uses a 'resource' parameter
– Identity Server uses a fixed issuer-based value for 'aud' claim, and assumes that scopes are enough – however, this does not fit all use cases.
– The excellent 'OAuth2 in Action' book shows an example with a resource server URI in the 'aud' claim, but doesn't say where it comes from.
So, how to get an access token for a specific audience (resource server, API,…) in a standard way?
Best Answer
I think you are right. There are a couple of guidelines available. The OAuth 2.0 Authorization Framework: Bearer Token Usage OAuth 2.0: Audience Information (draft-tschofenig-oauth-audience-00.txt)
OpenID connect a clear defined "aud" parameter as: