What is the Audience?

Question: What is the Audience?

Answer:

The audience parameter exists as part of the OAuth2.0 protocol. You can read more information from the specification here.

What is it?

The audience (presented as the aud claim in the access token) defines the intended recipients of the token.

This is typically the resource server (API, in the dashboard) that a client (Application) would like to access.

It can be added to the request to authorize i.e. audience: 'https://test-api'

Here is an example where an application MY_CLIENT_ID_12345 requested an access token with an audience of https://test-api.

{
  "header": {
    "alg": "RS256",
    "typ": "JWT",
    "kid": "123456"
  },
  "payload": {
    "iss": "https://xxxxx.auth0.com/",
    "sub": "auth0|123456789",
    "aud": "https://test-api",
    "iat": 1634332895,
    "exp": 1634419295,
    "azp": "MY_CLIENT_ID_123456",
    "scope": "openid email",
    "permissions": []
  },
  "signature": "123456"
}

You will see the audience is in the token as aud.

Although the access token is issued to the client/application (azp), it is not the intended recipient. Rather, the client is the authorized party (presented as the azp claim in the access token) and is not meant to consume the access token.

What should I use as my API Identifier?

The identifier should be an absolute URI, but this doesn’t have to be a publicly available URI; Auth0 will not call your API at all.

Is it optional?

Yes, it is possible to make a request to authorize without including an audience parameter. In this case, the audience parameter will default to the userinfo endpoint for your tenant, and an opaque token will be issued that can be exchanged for user information.

Additionally, a custom default audience can be configured. Setting the Default Audience is equivalent to appending this audience to every authorization request made to your tenant for every application. This will cause new behavior that might result in breaking changes for some of your applications.

2 Likes