authorization server issues an access token with issuer details which are exposed in well-known api of that server. this server uses client authentication JWT token with clients configured , these JWT tokens are sent as a part of request from clients to authorization server and having one of the claim audience of authorization server with URL and port.
Now, the question is should well-known api have the same issuer URL(access token) details as audience in (JWT), or the JWT audience can be different URL with port of authorization server.
payload of client authentication JWT
{
"aud":"https://server:port"
}
payload of access token JWT
{
"iss":"https://server/address/abc"
}
No comments:
Post a Comment