I’m started using JWT-based authorisation in my applications, as I have various applications that need to talk to each other and don’t want the overhead of OAuth and constantly bouncing users around to authorise apps.
I have the reason and verifying of JWTs working in my apps, expect for handling the aud claim. My intention was, to use the hostname of each service as the aud, which leads me to my question.
If I have a service at foo.example.com and someone tries to authenticate using a JWT with the aud claim set to bar.example.com, what HTTP response should I return? Would this be a 400 Bad Request? 401 Unauthorized? Is there a standard response for, “Your token is fine, but we’re the wrong audience, buddy”?