11Şub
Bearer JWT client authentication and access token issued by authorization server
An authorization server issues an access token with issuer details which are exposed in a well-known API of that server. This server uses client authentication JWT tokens with clients configured. These JWT tokens are sent as a part of a request from clients to the authorization server and have one of the claim audience of authorization server with URL and port.
Should a well-known API have the same issuer URL (access token) details as the audience in (JWT), or the JWT audience can be a different URL with the port of the authorization server?
Payload of client authentication JWT
{
"aud":"https://server:port"
}
payload of access token JWT
{
"iss":"https://server/address/abc"
}
