JWT: Why is audience important?
Suppose I regularly use JWTs from AUTH SERVER
to sign in to several several websites, including A
and B
. Without the aud claim, the JWTs would be identical. This would allow a malicious admin from A
to use my JWT to authenticate to B
.
I would argue that in a sense you are correct in that there's nothing special about the audience claim that you couldn't handle yourself through namespaced claims and custom security checks.
The JWT specifications notes that the aud claim (as well as the other registered claims) are optional and that the application needs should define when to use or not use them.
As to why it's commonly advised to authenticate on audience, it's basically a simple and standardized way to test whether the incoming JWT is meant for your application. It can be a hassle to create namespaced tokens for each and every application you want the identity to work for. Following the standard approach also makes things easier if you need to integrate with 3rd party apps or identity services.
The only real danger I can think of is if you or the next developer forget to do any additional checks that are now necessary due to not using audience checking.