Endpoint accepts JWTs without audience

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

This publicly exposed API endpoint accepts JWTs that do not include an audience (aud) claim. The audience claim identifies the intended recipients of the JWT and is a crucial security mechanism to prevent token misuse.

When JWTs lack an audience claim, several security risks emerge:

  1. Cross-service token abuse: Attackers who obtain a JWT for a different API or service can potentially use it against this endpoint.
  2. Broader attack surface: Without audience restrictions, compromised tokens have wider potential for misuse across different parts of the system.

The audience claim serves as an important defense mechanism by ensuring that JWTs are only accepted by their intended recipients. Without this claim, the principle of least privilege is violated, as tokens become more broadly usable than intended.

Remediation

Update your authentication service to add an audience claim in the JWT and verify it in the receiving services.