Skip to content

Support aud? #73

New issue
New issue
Open
Open
Support aud?#73
@kentcdodds

Description

@kentcdodds
kentcdodds
opened on Sep 7, 2025

Feature Request: Add Audience (aud) Claim Support

Problem

The current @cloudflare/workers-oauth-provider package doesn't support the aud (audience) claim, which is recommended in OAuth 2.0 best practices (RFC 9068) for identifying the intended recipient of tokens.

Proposed Solution

  1. Add optional audience parameter to completeAuthorization() method
  2. Store audience in token grant data
  3. Include aud claim in introspection responses (Create an introspection endpoint #72)
  4. Maintain backward compatibility

Use Cases

  • Multi-service architectures where tokens should be restricted to specific resource servers
  • Enhanced security for applications following OAuth 2.0 best practices
  • Compliance with enterprise security requirements

Implementation Details

  • Add audience?: string | string[] to authorization options
  • Store in grant data alongside clientId and scope
  • Include in introspection response as aud field
  • Optional feature - no breaking changes

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions