Skip to content

Set and enforce a single aud (audience) claim on issued tokens #46

Description

@Bccorb

Problem

The auth server signs tokens with iss but no aud (audience) claim. See src/lib/token.tssignAccessToken, signRefreshToken, and signEphemeralToken set .setIssuer(ISSUER) but never .setAudience(...). Verifiers (the @seamless-auth/express adapter) validate iss against the auth-server URL but cannot enforce an audience, so a token can't be scoped to its intended audience.

Goal

Issue tokens with a single, well-defined audience (e.g. seamless-auth) and have all verifiers enforce it. Note the internal service-token path already standardizes on aud: seamless-auth (src/middleware/authenticateServiceToken.ts), so we should align on one audience scheme for the auth server rather than introduce a second.

Scope (contract change — ripples to verifiers)

  • src/lib/token.ts: add .setAudience(<canonical aud>) to access/refresh/ephemeral signing.
  • @seamless-auth/express / @seamless-auth/core: pass audience to jwtVerify / createRemoteJWKSet verification so it's enforced.
  • Coordinate the rollout: verifiers must accept the new aud before (or at the same time as) the server starts emitting it, to avoid breaking live sessions.

Context

Surfaced while building the cross-SDK conformance harness (seamless verify). Future hardening item, not urgent.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions