I’m looking for guidelines or best practices around how to leverage these two JWT fields, either in terms of generic OAUTH2 guidelines or Okta-specific guidelines. From my reading, I am thinking of them as:
-
‘Audience’ pertains to the Services that would receive and handle a JWT. If they don’t consider themselves the right ‘Audience’ they should not perform the request.
-
‘Scope’ pertains to the underlying data resources, maybe more like a traditional entitlement or permission but mainly a granularity.
I could intuitively think of Scopes nesting within each other but not Audiences. Problem is, Scope supports a list of scopes, but Audience seems to be a scalar. Given these definitions, I’d kind of prefer the opposite. Which suggests that perhaps I’m not really thinking about them correctly, or at least not aligned to their original intent.
Is there any discussion or set of examples that clarify how these claims are designed to be used?