Best practice on handling aud claims?

martinbean · February 17, 2022, 11:41am

I’m started using JWT-based authorisation in my applications, as I have various applications that need to talk to each other and don’t want the overhead of OAuth and constantly bouncing users around to authorise apps.

I have the reason and verifying of JWTs working in my apps, expect for handling the aud claim. My intention was, to use the hostname of each service as the aud, which leads me to my question.

If I have a service at foo.example.com and someone tries to authenticate using a JWT with the aud claim set to bar.example.com, what HTTP response should I return? Would this be a 400 Bad Request? 401 Unauthorized? Is there a standard response for, “Your token is fine, but we’re the wrong audience, buddy”?

dan.woda · February 22, 2022, 11:34pm

Hi @martinbean,

Welcome to the Auth0 Community!

IIRC, this is how we handle it:

{
  statusCode: 401,
  error: 'Unauthorized',
  message: 'Bad audience: https://example-api'
}

system · March 9, 2022, 11:35pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Usage of aud claim? Help	2	16858	February 5, 2021
Unable to Verify aud Claim Help jwt , nodejs , node-auth0	5	6745	April 16, 2020
JWT returned to callback has incorrect aud (audience) Help jwt , audience , angular2	6	12362	March 2, 2018
Golang validation failed, invalid audience claim (aud) Help jwt , auth0	1	1940	July 18, 2022
Invalid claims from backend API in production but successful in development environment Help jwt , auth0 , api , claims , flask	5	3952	January 26, 2022

Best practice on handling aud claims?

Related Topics