oauth2.dev

audience

IESG

Registry Context

`audience` is an optional token-exchange request parameter that names a logical target service where the requested token will be used. Multiple values can be supplied, and it can be combined with `resource`. Audience values used with an authorization server must be unique within that server.

Technical Summary

RFC 8693 Section 2.1 defines `audience` as an OPTIONAL parameter in the form-encoded token exchange request body. It identifies a logical target service understood by both the client and authorization server. Multiple `audience` parameters can identify multiple audiences, including alongside `resource` URI values.

When Used

Token exchange requests to an authorization server's token endpoint.

Normative Requirements

Clients

OPTIONAL
1
  1. RFC 8693 - Section 2.1

    Include the `audience` parameter in the token exchange request body.

    Condition: When making a token exchange request

    OPTIONAL. The logical name of the target service where the client intends to use the requested security token.

Validation Guidance

warning

Check that audience values used with a given authorization server are unique within that server so they can be interpreted correctly.

info

Allow multiple `audience` parameters in one token exchange request.

info

Allow `audience` and `resource` parameters to be used together.

info

Treat `audience` as optional in a token exchange request.

Security Notes

RFC 8693 - Section 2.1.1

Requests spanning many target services solicit broader access rights and are significantly more likely to be unfulfillable.

Reference

Details

Entry Id
audience
Name
audience
Parameter Usage Location
token request
Change Controller
IESG
Reference
RFC8693 - Section 2.1