audience
Registry Context
`audience` is an optional token-exchange request parameter that names a logical target service where the requested token will be used. Multiple values can be supplied, and it can be combined with `resource`. Audience values used with an authorization server must be unique within that server.
Technical Summary
RFC 8693 Section 2.1 defines `audience` as an OPTIONAL parameter in the form-encoded token exchange request body. It identifies a logical target service understood by both the client and authorization server. Multiple `audience` parameters can identify multiple audiences, including alongside `resource` URI values.
When Used
Token exchange requests to an authorization server's token endpoint.
Normative Requirements
Clients
RFC 8693 - Section 2.1
Include the `audience` parameter in the token exchange request body.
Condition: When making a token exchange request
OPTIONAL. The logical name of the target service where the client intends to use the requested security token.
Validation Guidance
Check that audience values used with a given authorization server are unique within that server so they can be interpreted correctly.
Allow multiple `audience` parameters in one token exchange request.
Allow `audience` and `resource` parameters to be used together.
Treat `audience` as optional in a token exchange request.
Security Notes
RFC 8693 - Section 2.1.1
Requests spanning many target services solicit broader access rights and are significantly more likely to be unfulfillable.
Reference
Details
- Entry Id
audience- Name
audience- Parameter Usage Location
token request- Change Controller
IESG- Reference
RFC8693 - Section 2.1