aud
Registry Context
The `aud` claim identifies the recipients for which a JWT is intended. When the claim is present, a processing principal that does not identify itself among the audience values must reject the JWT. The value is generally an array, but may be a single string when there is one audience.
Technical Summary
RFC 7519 Section 4.1.3 defines `aud` as identifying the JWT's intended recipients. Each intended processing principal MUST identify itself with a value in the claim. A processing principal that does not do so when `aud` is present MUST reject the JWT. The value is generally an array of case-sensitive strings containing StringOrURI values; for one audience, it MAY instead be a single case-sensitive StringOrURI string. Audience interpretation is application specific, and use of `aud` is OPTIONAL.
When Used
When identifying and validating the intended recipient or recipients of a JWT.
Normative Requirements
Unspecified actor
RFC 7519 - Section 4.1.3
use the `aud` claim.
Use of this claim is OPTIONAL.
Each principal intended to process the JWT
RFC 7519 - Section 4.1.3
identify itself with a value in the audience claim.
Each principal intended to process the JWT MUST identify itself with a value in the audience claim.
The `aud` value
RFC 7519 - Section 4.1.3
be a single case-sensitive string containing a StringOrURI value.
Condition: when the JWT has one audience
When the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value.
The principal processing the claim
RFC 7519 - Section 4.1.3
reject the JWT.
Condition: when `aud` is present and the principal does not identify itself with a value in the claim
If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.
Validation Guidance
When `aud` is present, reject the JWT if the current processing principal does not identify itself with any audience value.
Treat the general `aud` representation as an array of case-sensitive strings, each containing a StringOrURI value.
Permit a single case-sensitive StringOrURI string as the `aud` value when the JWT has one audience.
Do not require `aud` to be present solely under RFC 7519 Section 4.1.3, because use of the claim is optional.
Security Notes
RFC 7519 - Section 4.1.3
When `aud` is present, a processing principal that does not identify itself with an audience value must reject the JWT.
RFC 7519 - Section 4.1.3
Audience strings are case-sensitive.
Reference
Details
- Entry Id
aud- Claim Name
aud- Claim Description
Audience- Change Controller
IESG- Reference
RFC7519 - Section 4.1.3