Use more meaningful audience in JWT ID token examples
-
Please check this box if this contribution uses AI-generated content as outlined in the GitLab DCO & CLA
What does this MR do and why?
This MR updates ID token generation examples in the documentation to use a JWT ID token aud
value matching the intended recipient of the token.
The aud
claim is described in RFC 7519 as follows:
The "aud" (audience) claim identifies the recipients that the JWT is intended for.
The purpose of the aud
claim is to identify the application / relying party that is intended to receive the JWT credential. This party is named explicitly in order to prevent an ID token with claims xyz issued to access Application 1 from being used to access Application 2 (provided they have similar or the same bound_claims
. Essentially, not using aud
or not using the intended recipient in the aud
means a token could be reused across relying parties.
The examples use https://gitlab.example.com
as the audience, which is the inverse of the token's actual audience. The token's audience is the Vault server, identified by https://vault.example.com
elsewhere (hence why that value is used in these changes).
This also updates the example configuration for the JWT Auth Backend Role to include a bound_audiences
assertion.