Hi, I would like to ask about how people use aud claim. It’s a bit vague to me. I’m using it like this, could you please this is a correct way to do it?
Suppose that:
I’m having 2 frontend apps, admin portal, and user portal.
I’m having server to do login function, that will handle login, then sign a jwt token, send it back to browser. <1>
I’m having an api gateway that will handle requests from browser, including jwt created by <1>. After validation, this gateway decide whether to route the request to admin (e.g. admin.foo.com) system or to a user (e.g. user.foo.com) system. <2>
I’m using the aud like this:
During the <1> step, I check if the login request comes from a user portal, or admin portal, then put the value of the audience field like admin.foo.com and user.foo.com
During <2> I’ll check if the jwt value of aud claim then redirect the traffic respectively. The purpose of this usage is to avoid users from user portal to use their valid jwt token to access some admin resources.
Assuming that the system of admin.foo.com and user.foo.com don’t have additional authorization layer, can I do as above?