https://sauvikbiswas.com/tags/resource-indicators/ Recent content in Resource-Indicators on Sauvik Biswas Hugo en-us Fri, 26 Jun 2026 00:00:00 +0000 https://sauvikbiswas.com/posts/learning-oauth-2-09/ Fri, 26 Jun 2026 00:00:00 +0000 https://sauvikbiswas.com/posts/learning-oauth-2-09/ <h2 class="heading" id="why-a-generic-access-token-is-not-enough"> Why a generic access token is not enough <a class="anchor" href="#why-a-generic-access-token-is-not-enough">#</a> </h2> <p><a href="https://sauvikbiswas.com/posts/learning-oauth-2-08/">v08</a> replaced the shared <code>JWT_SECRET</code> with RS256 + JWKS. Verifiers fetch public keys and check signatures. That fixed the question of who can forge tokens.</p> <p>It did not fix the question of where a token may be used.</p> <p>In v08, Mode B access tokens carry a hard-coded audience:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> <span class="nt">&#34;aud&#34;</span><span class="p">:</span> <span class="s2">&#34;resource-server&#34;</span><span class="p">,</span> <span class="nt">&#34;iss&#34;</span><span class="p">:</span> <span class="s2">&#34;auth-server&#34;</span><span class="p">,</span> <span class="nt">&#34;sub&#34;</span><span class="p">:</span> <span class="s2">&#34;user0&#34;</span> <span class="p">}</span> </span></span></code></pre></div><p>That string is a lab placeholder, not a real resource binding. Any API that knows to expect <code>aud: resource-server</code> would accept the token. In production there can be dozens of APIs behind one IdP (payments, calendar, internal admin tools), each with its own canonical URI. A token minted for one API should not work against another, even when both trust the same issuer.</p>