oauth2.dev

aud

IETF

Registry Context

`aud` identifies the recipients for which a JWT is intended. A signed JAR Request Object should include this claim. A recipient identified as an intended processor must reject the JWT if it is not represented in `aud`.

Technical Summary

In a JWT Request Object, `aud` has the semantics defined by RFC 7519. RFC 9101 recommends that signed Authorization Request Objects contain `aud`. Its value is generally an array of case-sensitive StringOrURI values; when there is one audience, it may instead be a single StringOrURI string. RFC 9101 states non-normatively that the value should be the authorization server issuer defined by RFC 8414.

When Used

Used in JWT authorization request Request Objects to identify the intended recipient authorization server.

Normative Requirements

Requests

SHOULD
1

  1. RFC 9101 - Section 4

    contain the `aud` claim as a member.

    Condition: when the Request Object is signed

    If signed, the Authorization Request Object SHOULD contain the Claims iss (issuer) and aud (audience) as members.

Each principal intended to process the JWT

MUST
1

  1. RFC 7519 - Section 4.1.3

    identify itself with a value in the audience claim.

    Each principal intended to process the JWT MUST identify itself with a value in the audience claim.

The JWT issuer

MAY
1

  1. RFC 7519 - Section 4.1.3

    encode `aud` as a single case-sensitive string containing a StringOrURI value.

    Condition: when the JWT has one audience

    In the special case when the JWT has one audience, the "aud" value MAY be a single case-sensitive string containing a StringOrURI value.

OPTIONAL
1

  1. RFC 7519 - Section 4.1.3

    include the `aud` claim.

    Use of this claim is OPTIONAL.

The principal processing the JWT

MUST
1

  1. RFC 7519 - Section 4.1.3

    reject the JWT.

    Condition: if `aud` is present and the principal does not identify itself with a value in the claim

    If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.

Validation Guidance

warning

For a signed Authorization Request Object, report a warning if `aud` is absent.

error

Reject the JWT if `aud` is present and the processing principal is not represented by one of its values.

error

Validate `aud` as an array of case-sensitive StringOrURI strings, or as one such string when there is exactly one audience.

Reference

RFC7519 - Section 4.1.3 RFC9101

Details

Entry Id
aud
Name
aud
Parameter Usage Location
authorization request
Change Controller
IETF
Reference
RFC7519 - Section 4.1.3, RFC9101