oauth2.dev

aud

IESG

Registry Context

The `aud` claim identifies the recipients for which a JWT is intended. When the claim is present, a processing principal that does not identify itself among the audience values must reject the JWT. The value is generally an array, but may be a single string when there is one audience.

Technical Summary

RFC 7519 Section 4.1.3 defines `aud` as identifying the JWT's intended recipients. Each intended processing principal MUST identify itself with a value in the claim. A processing principal that does not do so when `aud` is present MUST reject the JWT. The value is generally an array of case-sensitive strings containing StringOrURI values; for one audience, it MAY instead be a single case-sensitive StringOrURI string. Audience interpretation is application specific, and use of `aud` is OPTIONAL.

When Used

When identifying and validating the intended recipient or recipients of a JWT.

Normative Requirements

Unspecified actor

OPTIONAL
1
  1. RFC 7519 - Section 4.1.3

    use the `aud` claim.

    Use of this claim is OPTIONAL.

Each principal intended to process the JWT

MUST
1
  1. RFC 7519 - Section 4.1.3

    identify itself with a value in the audience claim.

    Each principal intended to process the JWT MUST identify itself with a value in the audience claim.

The `aud` value

MAY
1
  1. RFC 7519 - Section 4.1.3

    be a single case-sensitive string containing a StringOrURI value.

    Condition: when the JWT has one audience

    When the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value.

The principal processing the claim

MUST
1
  1. RFC 7519 - Section 4.1.3

    reject the JWT.

    Condition: when `aud` is present and the principal does not identify itself with a value in the claim

    If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.

Validation Guidance

error

When `aud` is present, reject the JWT if the current processing principal does not identify itself with any audience value.

error

Treat the general `aud` representation as an array of case-sensitive strings, each containing a StringOrURI value.

error

Permit a single case-sensitive StringOrURI string as the `aud` value when the JWT has one audience.

info

Do not require `aud` to be present solely under RFC 7519 Section 4.1.3, because use of the claim is optional.

Security Notes

RFC 7519 - Section 4.1.3

When `aud` is present, a processing principal that does not identify itself with an audience value must reject the JWT.

RFC 7519 - Section 4.1.3

Audience strings are case-sensitive.

Reference

Details

Entry Id
aud
Claim Name
aud
Claim Description
Audience
Change Controller
IESG
Reference
RFC7519 - Section 4.1.3