IdentityServer on MVC : What is Audience refering in AddJwtBearer

Question

I already have the access token working with my application in my api gateway.

var identityUrl = Configuration.GetValue<string>("urls:identity");
        services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;

        }).AddJwtBearer(options =>
        {
            options.Authority = Configuration.GetValue<string>("IdentityUrlExternal");
            options.RequireHttpsMetadata = false;
            options.Audience = "api1";              
            options.Events = new JwtBearerEvents()

What is the audience option in AddJwtBearer referring to? Is that refer to ClientId or the ApiScope? At the moment, I was based on the scope of my mobile application setup to communicate with the API gateway. If I changed to something e.g. a client id sent from mobile (ro.client), the authorized API function will not be able access it.

I would like to get a clear understand is my setting correct.

In addition, how do add Authorized Scope in the ASP.net MVC core project under the controller?

Answer 1

An audience is a unique identifier for an issued token. The audience value could be either the client id for an id token or an API for an access token.

In your project, you can communicate with api1 by adding it to the scope of your application.

Answer 2

The following link will take you to the explanation: http://docs.identityserver.io/en/latest/topics/apis.html

The ApiName property checks if the token has a matching audience (or short aud) claim.

In IdentityServer you can also sub-divide APIs into multiple scopes. If you need that granularity you can use the ASP.NET Core authorization policy system to check for scopes.