Implement multiple audiences in an access token

william3 · January 25, 2023, 12:08am

Feature: Implement multiple audiences in an access token

Description:

When requesting an access token, allow the client to specify multiple audiences so they can present that access token to multiple servers for authorization.

Use-case:

As most companies would, we have multiple client apps and multiple servers.
Some of those clients need access to more than one server.

We need a flow that allows users to auth once from which we get an AccessToken that we can supply to the relevant servers.

The natural way to do that is to provide multiple audiences with the auth request so that the auth token contains multiple audiences.

The stated workaround in Auth0 is to create an UberApi and then use scopes within that API to partition access to each of the APIs that it represents.

The problems with this approach are that:

Scopes are there to limit an application’s access to user data.
Audiences are there to limit a user’s access to a server resource.
Using scopes in this manner means that you need bespoke code in each server that decodes the token and parses it for specific scope(s). Introducing code complexity and error for a simple cross cut.
Taking this to its logical conclusion means that you would have a single Audience for all your server resources and within that Audience you would have a custom scope for every server resource that you expose. Which would totally defat the whole API/audience concept in the first place.

tyf · January 25, 2023, 12:14am

Thanks for the feedback @william3! Be sure and add your vote

damikun · May 25, 2023, 10:26am

I also hit this requirement i want my user to have audience access to MFA and also to our API in one authorize request… But multiple audiences are not supported…

missraphie_BT · September 12, 2023, 1:28pm

This requirement is needed for our product development. Do you guys at Auth0 have an ETA for that feature request?

quynh.p · October 7, 2023, 3:41am

I find this really necessary
At least on the Frontend side,
Because users do not need to log back and forth between audiences too many times if only supporting 1 single audience
It was a terrible experience with UX

pavol.soltes · October 30, 2023, 11:40am

Is there any ETA now year later? or it will be same as login after password reset ticket, that got nothing done on it in 5 years?

j.krabs · January 18, 2024, 9:02am

@tyf is there any update on this issue?
It is in the top ten of voted feature request. Seems to be important for the community

tyf · January 19, 2024, 11:17pm

Hey @j.krabs thanks for following up on this

I unfortunately have no update regarding this being added as a feature - I’ll add some general context to the idea:

Supporting multiple audiences is a generally viewed as not a great idea - It dilutes the value of having audiences to begin with (makes every call more dangerous and increases the blast radius in case of token leak), introduces ambiguity (to what audience does a particular scope refers to?) and is very challenging in terms of authorization policies (different audiences requiring different auth factors, different max_age values, etc.).

If multiple APIs are part of the same logical API, then using a single logical API is the current recommended approach: