Access Token needs to include an audience of the Resource Server (Normative)

Issue #284 resolved
Michael Jones
created an issue

Currently the spec is silent about whether the Access Token contains an audience. I believe we need to follow this recommendation and require an audience in the access token on at least a SHOULD basis, per the decision on the working group call on November 10, 2011.

As background data, Section 4.6.4 of the OAuth Threat Model and Security Considerations document contains the following:

4.6.4. Threat: Access token phishing by counterfeit resource server

An attacker may pretend to be a particular resource server and to accept tokens from a particular authorization server. If the client sends a valid access tokens to this counterfeit resource server, the server in turn may use that token to access other services on behalf of the resource owner.


o Associate the endpoint address of the resource server the client talked to with the access token (e.g. in an audience field) and validate association at legitimate resource server. The endpoint address validation policy may be strict (exact match) or more relaxed (e.g. same host). This would require to tell the authorization server the resource server endpoint address in the authorization process.

Comments (2)

  1. Log in to comment