What is audience? #96
Comments
|
This library implements RFC7519. See Section 4.1.3 for the description of the https://tools.ietf.org/html/rfc7519#section-4.1.3 In practical use, this tends to be the "client id" or "client key" of the application that the JWT is intended to be used by. It allows the client to verify that the JWT was sent by someone who actually knows who they are. |
|
Ok, so roles like |
|
It's difficult for me to guess what you mean by "don't fit here". This library will not stop you from putting What are you trying to do with JWTs? |
|
This isnt really library specific. I'm just trying to understand if setting the user role type into the |
|
Ah I see. Well, the RFC has nothing to do with users at all. It is about transferring abstract claims in a secure fashion. From the RFC: The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected. So whoever or whatever is decoding the JWT should already be expecting a particular value for |
|
Thanks a lot for that explanation. Clears things up a bit |
|
Np 😄 |
|
Where is the aud set? Is it set by the token issuer or by app requesting the token? |
|
It is set by the token issuer, but it is totally optional. |
What exactly is
aud(audience)? Can this represent roles of the user session / owner of the token? i.e. admin, guest, etc?The text was updated successfully, but these errors were encountered: