diff --git a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc index 1145e53915a..7e8a642220c 100644 --- a/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc +++ b/docs/modules/ROOT/pages/servlet/oauth2/resource-server/jwt.adoc @@ -132,6 +132,30 @@ We still specify the `issuer-uri` so that Resource Server still validates the `i [NOTE] This property can also be supplied directly on the <>. +== Supplying Audiences + +As already seen, the <<_specifying_the_authorization_server, `issuer-uri` property validates the `iss` claim>>; this is who sent the JWT. + +Boot also has the `audiences` property for validating the `aud` claim; this is who the JWT was sent to. + +A resource server's audience can be indicated like so: + +[source,yaml] +---- +spring: + security: + oauth2: + resourceserver: + jwt: + issuer-uri: https://idp.example.com + audiences: https://my-resource-server.example.com +---- + +[NOTE] +You can also add <>, if needed. + +The result will be that if the JWT's `iss` claim is not `https://idp.example.com`, and its `aud` claim does not contain `https://my-resource-server.example.com` in its list, then validation will fail. + [[oauth2resourceserver-jwt-sansboot]] == Overriding or Replacing Boot Auto Configuration @@ -1061,7 +1085,7 @@ By default, Resource Server configures a clock skew of 60 seconds. [[oauth2resourceserver-jwt-validation-custom]] === Configuring a Custom Validator -Adding a check for the `aud` claim is simple with the `OAuth2TokenValidator` API: +Adding a check for <<_supplying_audiences, the `aud` claim>> is simple with the `OAuth2TokenValidator` API: ==== .Java @@ -1169,6 +1193,9 @@ fun jwtDecoder(): JwtDecoder { ---- ==== +[TIP] +As stated earlier, you can instead <<_supplying_audiences, configure `aud` validation in Boot>>. + [[oauth2resourceserver-jwt-claimsetmapping]] == Configuring Claim Set Mapping