Audience Claim
Fleetingone of the specified jwt claim that helps mitigate the cross jwt confusion. The resource server must ensure that it belongs to the audience, or a malicious client might ask for a token with high privileges for another use case and use that token to get access to unintended uses.
If the principal processing the claim does not identify itself with a value in the “aud” claim when this claim is present, then the JWT MUST be rejected.
— https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3
Use of this claim is OPTIONAL.
[…]
access tokens SHOULD be restricted to certain resource servers (audience restriction), preferably to a single resource server.
— https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
authorization server associates the access token with certain resource servers and every resource server is obliged to verify, for every request, whether the access token sent with that request was meant to be used for that particular resource server. If not, the resource server MUST refuse to serve the respective request.
— https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics
Notes linking here
- cross jwt confusion
- ID Tokens vs Access Tokens
- JSON web tokens
- link with audience claim
- making sense of github OIDC flow