JWT aud (Audience) Claim
Explore the JWT aud (audience) claim, how it restricts token usage to intended recipients, single vs. multi-audience tokens, and validation strategies.
Detailed Explanation
The aud (audience) claim identifies the intended recipients of a JWT. A token should only be accepted by a service that recognizes itself as an intended audience. The value can be a single string or an array of strings, each representing an audience identifier (typically a URI or service name).
Single and multiple audiences:
// Single audience
{ "aud": "https://api.example.com" }
// Multiple audiences
{ "aud": ["https://api.example.com", "https://admin.example.com"] }
When a server validates a JWT, it checks that its own identifier appears in the aud claim. If it does not, the token is rejected. This prevents a token intended for one service from being replayed against another, even if both services share the same signing key or trust the same issuer.
The confused deputy problem:
Without audience validation, you are vulnerable to the confused deputy attack. Consider two services: a public API and an internal admin API, both trusting the same identity provider. An attacker obtains a token meant for the public API and sends it to the admin API. If the admin API does not check aud, it grants access because the token's signature is valid. Audience validation prevents this by ensuring each service only accepts tokens explicitly addressed to it.
OAuth 2.0 and audience:
In OAuth 2.0 flows, the aud claim typically identifies the resource server (API) that the access token is intended for. The client requests a specific audience during the authorization flow using the resource or audience parameter. Auth0, for example, uses the API identifier as the audience value. This ensures that a token granted for one API cannot be used with another, even within the same organization.
Validation implementation:
When implementing audience validation, compare the expected audience against the aud claim using exact string matching. If aud is an array, check that your service's identifier is present in the array. Never skip audience validation, even in development environments, as this creates habits that lead to production vulnerabilities. Most JWT libraries support configuring the expected audience during verification.
Use Case
A payment processing API validates that the aud claim matches its own service identifier, preventing tokens issued for other APIs from authorizing transactions.