Feature: Implement multiple audiences in an access token
When requesting an access token, allow the client to specify multiple audiences so they can present that access token to multiple servers for authorization.
As most companies would, we have multiple client apps and multiple servers.
Some of those clients need access to more than one server.
We need a flow that allows users to auth once from which we get an AccessToken that we can supply to the relevant servers.
The natural way to do that is to provide multiple audiences with the auth request so that the auth token contains multiple audiences.
The stated workaround in Auth0 is to create an UberApi and then use scopes within that API to partition access to each of the APIs that it represents.
The problems with this approach are that:
- Scopes are there to limit an application’s access to user data.
Audiences are there to limit a user’s access to a server resource.
- Using scopes in this manner means that you need bespoke code in each server that decodes the token and parses it for specific scope(s). Introducing code complexity and error for a simple cross cut.
- Taking this to its logical conclusion means that you would have a single Audience for all your server resources and within that Audience you would have a custom scope for every server resource that you expose. Which would totally defat the whole API/audience concept in the first place.