I am working on a project and I am trying to understand how I should structure my audiences. My architecture is a single API gateway into a bunch of microservices. It seems like I should have 1 audience per resource ID, which in my mind would be per microservice. However, my coworker suggests it should be per resource or URL therefore one audience for all microservices. What are the pros and cons of each way of handling it?
This is a complicated question.
Examine the security requirements of each microservice - are they the same? If so, one audience is all that is required and is much simpler.
If some (or all) have differing requirements, you need one audience per set of requirements. This is more complex.
Be aware if you follow the latter route, you may run into issues like access tokens expiring ten layers deep in API calls, so it is not easy to silent auth and get a new one, or getting ten layers deep and needing an access token with a different audience.