[Openid-specs-risc] openid/sharedsignals: Comment created on issue 230
Shannon Day
shannonday083 at gmail.com
Tue Sep 16 18:54:24 UTC 2025
The audience (aud) claim in OAuth 2.0 tokens is crucial for API security,
defining the intended recipient of the token. The system receiving the
token must validate the aud claim against its own identifier to prevent
token misuse and unauthorized access. If the aud claim does not match the
expected API identifier, the token should be rejected.
------------------------------
Best Practices for aud validation
- Always validate the aud claim in your API.
- Ensure the audience matches the API's identifier.
- Reject tokens with unexpected or missing aud claims.
Shannon Day
On Tue, Sep 16, 2025, 12:41 PM github--- via Openid-specs-risc <
openid-specs-risc at lists.openid.net> wrote:
> openid/sharedsignals event
>
> Issue Comment created on issue 230
> Issue Title: Confusion about the origin of the 'aud' value in the stream
> configuration
> https://github.com/openid/sharedsignals/issues/230
>
> Comment: I have now seen three possibilities for defining the `aud` value
> in implementations. We should decide which of these is the "correct" way to
> do things so that Transmitters and Receivers can all build with the same
> expectations. 1. ReceiverCompany says, _"My aud value is
> www.receivercompany.com"._ They set up an agreement with
> TransmitterCompany so that any streams set up between the two companies use
> "www.receivercompany.com" as the aud value. The auth provided during
> stream creation allows the Transmitter to check that the Receiver is coming
> from ReceiverCompany and it is safe to send that aud value. 2.
> ReceiverCompany says, _"My aud value is www.receivercompany.com"_.
> TransmitterCompany offers a UI that allows an admin to create a stream with
> any company. In the UI, the admin is asked to plug in the aud value. For
> streams that the admin creates with ReceiverCompany, they plug in "
> www.receivercompany.com" as the aud value. The auth provided during
> stream creation allows the Transmitter to check that the Receiver is coming
> from ReceiverCompany and it is safe to send that aud value. 3. When
> TransmitterCompany creates a stream, they generate a unique aud value for
> the stream without regard for what company runs the Receiver. The auth
> provided during stream creation ensures that this is safe and uniquely
> identifies a Receiver.
> _______________________________________________
> Openid-specs-risc mailing list
> Openid-specs-risc at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-risc
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20250916/9194ae52/attachment-0001.htm>
More information about the Openid-specs-risc
mailing list