JWT(Json Web令牌)受众"aud" vs Client_Id-有什么区别? [英] JWT (Json Web Token) Audience "aud" versus Client_Id - What's the difference?

问题描述

我正在我的认证服务器中实现OAuth 2.0 JWT access_token.但是，我不清楚JWT aud声明与client_id HTTP标头值之间的区别是什么.他们是一样的吗?如果没有，您能解释一下两者之间的区别吗?

I'm working on implementing OAuth 2.0 JWT access_token in my authentication server. But, I'm not clear on what the differences are between the JWT aud claim and the client_id HTTP header value. Are they the same? If not, can you explain the difference between the two?

我怀疑aud应该引用资源服务器，而client_id应该引用身份验证服务器识别的客户端应用程序之一(即Web应用程序或iOS应用程序).

My suspicion is that aud should refer to the resource server(s), and the client_id should refer to one of the client applications recognized by the authentication server (i.e. web app, or iOS app).

在我当前的情况下，我的资源服务器也是我的Web应用程序客户端.

In my current case, my resource server is also my web app client.

推荐答案

事实证明，我的猜想是对的. JWT中的观众aud声明旨在指代应接受令牌的资源服务器.

As it turns out, my suspicions were right. The audience aud claim in a JWT is meant to refer to the Resource Servers that should accept the token.

如这篇帖子所述:

令牌的受众是令牌的预期接收者.

The audience of a token is the intended recipient of the token.

受众群体值是一个字符串-通常是 被访问的资源，例如https://contoso.com.

The audience value is a string -- typically, the base address of the resource being accessed, such as https://contoso.com.

OAuth中的client_id是指将向资源服务器请求资源的客户端应用程序.

The client_id in OAuth refers to the client application that will be requesting resources from the Resource Server.

客户端"应用(例如您的iOS应用)将向您的身份验证服务器"请求JWT.这样，它将传递client_id和client_secret以及可能需要的所有用户凭据.授权服务器使用client_id和client_secret验证客户端，并返回JWT.

The Client app (e.g. your iOS app) will request a JWT from your Authentication Server. In doing so, it passes it's client_id and client_secret along with any user credentials that may be required. The Authorization Server validates the client using the client_id and client_secret and returns a JWT.

JWT将包含一个aud声明，该声明指定JWT适用于哪些资源服务器.如果aud包含www.myfunwebapp.com，但是客户端应用程序尝试在www.supersecretwebapp.com上使用JWT，则访问将被拒绝，因为资源服务器将看到JWT并不适合它.

The JWT will contain an aud claim that specifies which Resource Servers the JWT is valid for. If the aud contains www.myfunwebapp.com, but the client app tries to use the JWT on www.supersecretwebapp.com, then access will be denied because that Resource Server will see that the JWT was not meant for it.

这篇关于JWT(Json Web令牌)受众"aud" vs Client_Id-有什么区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！