What OpenID Connect provider should do, if client requested scopes for many audiences? For example:
Api Resource A use these scopes: test.read
Api Resource B use these scopes: test.write
Client can request test.read and test.write, he has been allowed to use both. But now what to do with audience in access token, if client requested test.read and test.write? Audience should be only one, so I can't do something like it:
{
"audience": "ApiResourceA ApiResourceB"
}
What does the OIDC provider have to do in this case?
The audience claim represents one or more components / APIs that can receive a particular access token. So you should return either a single value or an array claim:
A common technique is to use a value such as api.mycompany.com so that related APIs can forward access tokens to each other.
Scopes instead represent access to an area of business data, and operations allowed on that data. An example might be shipping:write. The scope best practices article provides further details, described in terms of a business example.