This article clarifies the purpose and function of the Audience value within a custom authorization server. It explains how this value serves as a logical identifier to secure Application Programming Interfaces (APIs).

• Custom Authorization Server
• API Security
• OAuth 2.0
• OpenID Connect (OIDC)

The Audience value is a crucial security component in a custom authorization server. It functions as a logical identifier for the intended recipient of a token. The value is configured within the Settings tab of an Authorization Server:

Function and Implementation

• Logical Identifier: The audience is a string configured during the custom authorization server's configuration. It represents the protected resource or API that the client application intends to access. 
• Token Inclusion: When the authorization server mints an "Access Token", it includes this identifier in the aud (audience) claim within the token.
• API Validation: The API consuming the token must validate the aud claim. If the value in the token does not match the identifier expected by the API, the API must reject the token. This process ensures that a token intended for one service cannot be maliciously or accidentally reused to access a different service.

Related References

• Validating an Access Token