Hi, I would like to ask about how people use aud claim. It’s a bit vague to me. I’m using it like this, could you please this is a correct way to do it?
I’m having 2 frontend apps, admin portal, and user portal.
I’m having server to do login function, that will handle login, then sign a jwt token, send it back to browser. <1>
I’m having an api gateway that will handle requests from browser, including jwt created by <1>. After validation, this gateway decide whether to route the request to admin (e.g. admin.foo.com) system or to a user (e.g. user.foo.com) system. <2>
During <2> I’ll check if the jwt value of aud claim then redirect the traffic respectively. The purpose of this usage is to avoid users from user portal to use their valid jwt token to access some admin resources.