Endpoint accepts JWTs without audience
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
This publicly exposed API endpoint accepts JWTs that do not include an audience (aud) claim. The audience claim identifies the intended recipients of the JWT and is a crucial security mechanism to prevent token misuse.
When JWTs lack an audience claim, several security risks emerge:
- Cross-service token abuse: Attackers who obtain a JWT for a different API or service can potentially use it against this endpoint.
- Broader attack surface: Without audience restrictions, compromised tokens have wider potential for misuse across different parts of the system.
The audience claim serves as an important defense mechanism by ensuring that JWTs are only accepted by their intended recipients. Without this claim, the principle of least privilege is violated, as tokens become more broadly usable than intended.
Update your authentication service to add an audience claim in the JWT and verify it in the receiving services.
