What is audience? about ruby-jwt HOT 9 CLOSED

Ah I see. Well, the RFC has nothing to do with users at all. It is about transferring abstract claims in a secure fashion.

From the RFC:

The "aud" (audience) claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the "aud" claim when this claim is present, then the JWT MUST be rejected.

So whoever or whatever is decoding the JWT should already be expecting a particular value for aud that was arranged out-of-band. So no, aud is not intended for user roles. In my opinion, a user role would be a good fit for a custom claim (named something like user_role). However, this depends on what you are using the JWT for. In general these decisions are made at an architectural-level and then are implemented by both a server and a set of clients.

from ruby-jwt.

This library implements RFC7519. See Section 4.1.3 for the description of the aud claim.

https://tools.ietf.org/html/rfc7519#section-4.1.3

In practical use, this tends to be the "client id" or "client key" of the application that the JWT is intended to be used by. It allows the client to verify that the JWT was sent by someone who actually knows who they are.

from ruby-jwt.

Ok, so roles like admin, guest, etc don't fit here, i guess?

from ruby-jwt.

It's difficult for me to guess what you mean by "don't fit here". This library will not stop you from putting { 'aud' => 'guest' } into a hash and encoding it as a JWT.

What are you trying to do with JWTs?

from ruby-jwt.

This isnt really library specific. I'm just trying to understand if setting the user role type into the aud key meets the RFC. Is the aud intended for that purpose?

from ruby-jwt.

Thanks a lot for that explanation. Clears things up a bit

from ruby-jwt.

Np 😄

from ruby-jwt.

Where is the aud set? Is it set by the token issuer or by app requesting the token?

from ruby-jwt.

It is set by the token issuer, but it is totally optional.

from ruby-jwt.