Endpoint accepts JWTs without audience

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Description

This publicly exposed API endpoint accepts JWTs that do not include an audience (aud) claim. The audience claim identifies the intended recipients of the JWT and is a crucial security mechanism to prevent token misuse.

When JWTs lack an audience claim, several security risks emerge:

  1. Cross-service token abuse: Attackers who obtain a JWT for a different API or service can potentially use it against this endpoint.
  2. Broader attack surface: Without audience restrictions, compromised tokens have wider potential for misuse across different parts of the system.

The audience claim serves as an important defense mechanism by ensuring that JWTs are only accepted by their intended recipients. Without this claim, the principle of least privilege is violated, as tokens become more broadly usable than intended.

Remediation

Update your authentication service to add an audience claim in the JWT and verify it in the receiving services.