Skip to main content

3. Security Considerations

3. Security Considerations

An audience-restricted access token that is legitimately presented to a resource cannot then be taken by that resource and presented elsewhere for illegitimate access to other resources. The resource parameter enables a client to indicate the protected resources where the requested access token will be used, which in turn enables the authorization server to apply the appropriate audience restrictions to the token.

Some servers may host user content or be multi-tenant. In order to avoid attacks where one tenant uses an access token to illegitimately access resources owned by a different tenant, it is important to use a specific resource URI including any portion of the URI that identifies the tenant, such as a path component. This will allow access tokens to be audience-restricted in a way that identifies the tenant and prevents their use, due to an invalid audience, at resources owned by a different tenant.

Although multiple occurrences of the resource parameter may be included in a token request, using only a single resource parameter is encouraged. If a bearer token has multiple intended recipients (audiences), then the token is valid at more than one protected resource and can be used by any one of those resources to access any of the others. Thus, a high degree of trust between the involved parties is needed when using access tokens with multiple audiences. Furthermore, an authorization server may be unwilling or unable to fulfill a token request with multiple resources.

Whenever feasible, the resource parameter should correspond to the network-addressable location of the protected resource. This makes it possible for the client to validate that the resource being requested controls the corresponding network location, reducing the risk of malicious endpoints obtaining tokens meant for other resources. If the resource parameter contains an abstract identifier, it is the client's responsibility to validate out of band that any network endpoint to which tokens are sent are the intended audience for that identifier.

Last updated on