I am testing to understand and implement a user authorization system through the use of Json Web Token .
Looking for information about the configuration of a token, I have a couple of doubts about the use of two Claims of the Payload, the Sub and the Aud.
{
"iss": "www.miweb.com", // emisor
"iat": 1455550200, // emitido en
"exp": 1455559810, // expira
"nbf": 1455550260, // no usar antes de
"jti": "31d6cfe0d16ae931b73c59d7e0c089c0", // id único
"sub": "", // ¿asunto?
"aud": "", // ¿?
"data": {/* datos anexos */}
}
From what I have observed, these two claims are rarely used. My question then is:
In what scenario can it be used and for what purpose?
Thanks in advance, Regards
PS: The same question is on StackOverflow: https://stackoverflow.com/q/37634140/6272471
Answered by MvdD on StackOverflow
The subject claim (1) (
'sub'
) identifies the user or application (in the case of the client credential flow (2) that has been authenticated. The audience claim (3) ('aud'
) indicates for which the token is issued.Suppose my client application has to call
servicio A
on behalf of theusuario X
.Typically, my request would contact the authorization server to authenticate the user (for example, using one of the OAuth2(4) grant flows) and request access to the
servicio X
. The authorization server could authenticate the user and ask for consent.If the user consents, the authorization server will issue a JWT token with a subject claim unique to
usuario X
him and an audience claim indicatingservicio A
.