Skip to content
This repository has been archived by the owner on Feb 7, 2020. It is now read-only.
Jean-Marc Prieur edited this page Jul 25, 2017 · 2 revisions

FAQ

Why is the audience set to the ClientID in the case of a Single Page Application

Summary

The audience is the value used by the web service to verify that an access token is meant to itself. In the case of single page application, by coincidence, we use the App ID (or clientID), whereas in the other cases we use Application ID URIs.

Details

A token meant for a given resource must have the identifier of that resource in its audience claim. In the general case, that audience correspond to the app id URI. In the SPA case, however, the JavaScript portion of the app requests a token for it's own backend, that is to say for the very same app entry in Azure AD. There is a token type that has that exact semantic, and that's the ID token. The id_token has as audience the clientID of the application, hence that's why the web service in the SPA case has the VALUE of the clientID. However its semantic remains the one of the "audience", as in the value used to verify that the token was actually meant for its destination. The fact that in this case the audience happens to be the same as the clientID is just "coincidence". Changing the terminology on the web API project would make the web API less flexible. (reference #7)

Clone this wiki locally