i8ubv (i8ubv) asked a question.
We are building an system consisting of a desktop client and a resource server. When the resource server receives an access token it should check that the audience claim matches the resource server, to ensure that only access tokens intended for this particular resource server can be used.
The system can use Okta as well as Keycloak as the IdP. In Keycloak the audience claim is controlled through a client scope mapping, which means that the client requests an access token with a scope that matches the resource server and as a result Keycloak places the client ID of the resource server in the audience claim. The resource server then validates the audience claim by comparing it with its Client ID.
I can't find a matching functionality in Okta. It seems like in Okta the audience is linked to the authorization server instead of the resource server, since it is something you set when you create a new authorization server. I have not found a way to configure it per application (I assume a resource server would be an application in Okta terminology).
What is Oktas recommend way of controlling what value should be in the audience claim? Should there be a 1:1 relationship between authorization servers and resource servers?
Hi, @i8ubv (i8ubv)
Thank you for posting on our Community page!
Here is a previously answer question on the Dev Forum: https://devforum.okta.com/t/audience-server/16075/2
Hope this helps!
Thank you for reaching out to our Community and have a great day!
_____________________________________________________________________________
Community members help others by clicking Like or Select as Best on responses. Try it today.
_____________________________________________________________________________
Hi, @User16594883467582706479 (Customer Support Online Experience)
Unfortunately the previous answer does not help with my question. I am well aware of the purpose of the "aud" token and that it can be set when configuring the Authorization Server. If that is the only way to set it that would mean that Okta is designed to have a 1:1 relationship between Authorization Servers and Resource Servers, which I find strange.
Should there be a 1:1 relationship between authorization servers and resource servers in Okta?
"aud" token => "aud" claim
Hi, @i8ubv (i8ubv)
Thank you for posting on our Community page!
As Andrea replied on the post there,
“There’s no right or wrong answer here. You are the one that will define the audience within Okta and then configure your resource server/API to expect this audience when it validates tokens. Naming the audience after the resource being protected is more or less a recommendation.”
Thank you for reaching out to our Community and have a great day!
_____________________________________________________________________________
Community members help others by clicking Like or Select as Best on responses. Try it today.
_____________________________________________________________________________
Follow us at OktaSupport
_____________________________________________________________________________