0

What OpenID Connect provider should do, if client requested scopes for many audiences? For example:

Api Resource A use these scopes: test.read

Api Resource B use these scopes: test.write

Client can request test.read and test.write, he has been allowed to use both. But now what to do with audience in access token, if client requested test.read and test.write? Audience should be only one, so I can't do something like it:

{
  "audience": "ApiResourceA ApiResourceB"
}

What does the OIDC provider have to do in this case?

Szyszka947
  • 473
  • 2
  • 5
  • 21

1 Answers1

1

The audience claim represents one or more components / APIs that can receive a particular access token. So you should return either a single value or an array claim:

  • api.mycompany.com
  • [api1, api2]

A common technique is to use a value such as api.mycompany.com so that related APIs can forward access tokens to each other.

Scopes instead represent access to an area of business data, and operations allowed on that data. An example might be shipping:write. The scope best practices article provides further details, described in terms of a business example.

Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • But if the access token has multiple audiences, then after using it in API X, the token can be used by API X for another audience. I don't think it's safe. – Szyszka947 Aug 09 '22 at 18:32
  • 1
    I would think of it in terms of end-to-end flows, data ownership and business boundaries, as in the above article. Any good authorization server will give you choices on how you use audiences and scopes. It is then down to software architects to design how they will be used in a particular use case. A vendor building an authorization server should not dictate behaviour. – Gary Archer Aug 09 '22 at 18:39