Home > Enterprise >  Should Oauth audience be different between staging and production environments
Should Oauth audience be different between staging and production environments

Time:12-15

I have an API secured using Oauth that I'm exposing in a staging environment and production environment. For proper security, should the audience for the API be different between staging and production?

If the audience is the same between the two environments, wouldn't this allow a single access token to be used to access the API in both production and staging?

Thanks.

CodePudding user response:

The issuer claim should be different for each stage of your deployment pipeline. The audience claim is often a logical name that represents components and can be the same in all environments.

TOKENS ISSUED TO A CLIENT

An access token might contain these built-in claims:

An ID token might contain these:

VALIDATING JWTs in APIs

Typical code is shown below and should verify both issuer and audience. This ensures that each environment rejects tokens from other environments, and returns a 401 response if issuer or audience checks fail.

const jwksEndpoint = 'https://login.example.com/.well-known/jwks';
const remoteJWKSet = createRemoteJWKSet(new URL(jwksEndpoint));

function validateJwtAccessToken(accessToken) {

    const options = {
        algorithms: ['RS256'],
        issuer: 'https://login-staging.example.com',
        audience: 'api.example.com',
    };
    const result = await jwtVerify(accessToken, remoteJWKSet, options);
    const claims = result.payload;
    return claims;
}

MULTIPLE APIs

A shared audience is sometimes used between multiple APIs from the same owner. If you are developing an orders API that calls a products API, the audience can be the same for both. This enables the JWT to be forwarded between APIs, so that both receive a verifiable user identity.

Each API should then validate the JWT, and also check that the token has the scopes that API requires, from the JWT payload. If this is not the case, eg the products API does not receive its required scope, it will return a 403 forbidden response.

  • Related