security - Using JWT audience field for authorization roles -

security - Using JWT audience field for authorization roles -

i'm considering using jwt audience field implement role-based authorization in app.

so i'd have servicea requires 'rolea' audience present, serviceb requires 'roleb' etc. when issue jwt, include appropriate audience(s).

relevant section jwt draft spec:

the aud (audience) claim identifies recipients jwt intended for. each principal intended process jwt must identify value in audience claim. if principal processing claim not identify value in aud claim when claim present, jwt must rejected... interpretation of audience values application specific.

so appears work since i'm new jwt i'm wondering: role-based authorization appropriate utilize case audience field? or should roll own logic using payload custom roles array etc?

thanks

i understand audience rather list of consumers/applications can authorize user.

in application set roles own array in payload. illustration that.

{ "sub": 1234567890, "exp": 9876543210, "name": "john doe", "roles": ["user", "editor"] }

on server authorized using spring security , user loaded "sub".

and on client can utilize these roles show proper buttons , fields.

security authorization jwt