JWT(Json Web 令牌)受众“aud"与 Client_Id - 有什么区别? [英] JWT (Json Web Token) Audience "aud" versus Client_Id - What's the difference?

问题描述

我正在我的身份验证服务器中实施 OAuth 2.0 JWT access_token.但是，我不清楚 JWT aud 声明和 client_id HTTP 标头值之间的区别.他们是一样的吗?如果不是，你能解释一下两者的区别吗?

I'm working on implementing OAuth 2.0 JWT access_token in my authentication server. But, I'm not clear on what the differences are between the JWT aud claim and the client_id HTTP header value. Are they the same? If not, can you explain the difference between the two?

我怀疑 aud 应该引用资源服务器，而 client_id 应该引用身份验证服务器识别的客户端应用程序之一(即Web 应用程序或 iOS 应用程序).

My suspicion is that aud should refer to the resource server(s), and the client_id should refer to one of the client applications recognized by the authentication server (i.e. web app, or iOS app).

在我目前的情况下，我的资源服务器也是我的网络应用程序客户端.

In my current case, my resource server is also my web app client.

推荐答案

事实证明，我的怀疑是正确的.JWT 中的观众 aud 声明是指应该接受令牌的资源服务器.

As it turns out, my suspicions were right. The audience aud claim in a JWT is meant to refer to the Resource Servers that should accept the token.

正如 this 帖子简单地说:

As this post simply puts it:

令牌的受众是令牌的预期接收者.

The audience of a token is the intended recipient of the token.

观众值是一个字符串——通常是正在访问的资源，例如 https://contoso.com.

The audience value is a string -- typically, the base address of the resource being accessed, such as https://contoso.com.

OAuth 中的client_id 指的是将从资源服务器请求资源的客户端应用程序.

The client_id in OAuth refers to the client application that will be requesting resources from the Resource Server.

客户端应用程序(例如您的 iOS 应用程序)将从您的身份验证服务器请求 JWT.这样做时，它会传递它的 client_id 和 client_secret 以及可能需要的任何用户凭据.授权服务器使用 client_id 和 client_secret 验证客户端并返回 JWT.

The Client app (e.g. your iOS app) will request a JWT from your Authentication Server. In doing so, it passes it's client_id and client_secret along with any user credentials that may be required. The Authorization Server validates the client using the client_id and client_secret and returns a JWT.

JWT 将包含一个 aud 声明，用于指定 JWT 对哪些资源服务器有效.如果 aud 包含 www.myfunwebapp.com，但客户端应用程序尝试使用 www.supersecretwebapp.com 上的 JWT，则访问将被拒绝，因为资源服务器会看到 JWT 不适合它.

The JWT will contain an aud claim that specifies which Resource Servers the JWT is valid for. If the aud contains www.myfunwebapp.com, but the client app tries to use the JWT on www.supersecretwebapp.com, then access will be denied because that Resource Server will see that the JWT was not meant for it.

这篇关于JWT(Json Web 令牌)受众“aud"与 Client_Id - 有什么区别?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！