Skip to content

Set and enforce a single aud (audience) claim on issued tokens #46

Description

@Bccorb

Problem

The auth server signs tokens with iss but no aud (audience) claim. See src/lib/token.tssignAccessToken, signRefreshToken, and signEphemeralToken set .setIssuer(ISSUER) but never .setAudience(...). Verifiers (the @seamless-auth/express adapter) validate iss against the auth-server URL but cannot enforce an audience, so a token can't be scoped to its intended audience.

Goal

Issue tokens with a single, well-defined audience (e.g. seamless-auth) and have all verifiers enforce it. Note the internal service-token path already standardizes on aud: seamless-auth (src/middleware/authenticateServiceToken.ts), so we should align on one audience scheme for the auth server rather than introduce a second.

Scope (contract change — ripples to verifiers)

  • src/lib/token.ts: add .setAudience(<canonical aud>) to access/refresh/ephemeral signing.
  • @seamless-auth/express / @seamless-auth/core: pass audience to jwtVerify / createRemoteJWKSet verification so it's enforced.
  • Coordinate the rollout: verifiers must accept the new aud before (or at the same time as) the server starts emitting it, to avoid breaking live sessions.

Context

Surfaced while building the cross-SDK conformance harness (seamless verify). Future hardening item, not urgent.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions