The "Audience" in Advanced OAuth2 and OpenID Connect Flows

I want to set/add an entry in ID token’s aud claim, but I can’t figure it out (its value is always just the client_id). I’ve followed the and managed to set the audience for the Access Token, but that does not reflect in the ID token. Any ideas?

Uros Trebec
(20201117:hydra#slack(mailto:[email protected]))

This is explained here:

There are two types of audience concept in the context of OAuth 2.0 and OpenID Connect:

  1. OAuth 2.0: Access and Refresh Tokens are “internal-facing”. The aud claim of an OAuth 2.0 Access and Refresh token defines at which endpoints the token can be used.
  2. OpenID Connect: The ID Token is “external-facing”. The aud claim of an OpenID Connect ID Token defines which clients should accept it.

While modifying the audience of an ID Token is not desirable, specifying the audience of an OAuth 2.0 Access Token is. This is not defined as an IETF Standard but is considered good practice in certain environments.

For this reason, Hydra allows you to control the aud claim of the access token. To do so, you must specify the intended audiences in the OAuth 2.0 Client’s metadata on a per-client basis:

    "client_id": "...",
    "audience": ["", ""]

The audience is a list of case-sensitive URLs. URLs must not contain whitespaces.

The Access Token audience does not translate to ID token because its value is enforced by the library.

The implementation is here:

func (h *Handler) AuthHandler(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
	var ctx = r.Context()

The following people provided support:

Paul Harman :nerd_face: