Our policy regarding access tokens and audiences

The OAuth2 protocol allows a token request to contain scopes for several audiences (APIs) at one time. The resulting access token can be used against several APIs since it contains multiple audiences and related scopes.

While this feature is useful, there is also a risk of abuse since anyone posessing a token can reuse it as if they were the original client. This means that tokens with mulitiple audiences are even more powerful than regular access tokens. The consequence of a stolen token will thus be higher than usual. Also, the client must trust all APIs they call since the API can use the received token on behalf of the client.

In HelseID we have identified two ways of reducing this risk. The most powerful way is to require token binding via the mTLS and DPoP mechanisms. These ensure that the client that uses a token is the same that requested it. Unfortunately the token binding mechanisms are not available in HelseID yet. Also, they can not be used in all cases. We recommend another policy-based approach where APIs reject tokens with multiple audiences.

By rejecting tokens with multiple audiences, the API can be sure that they are the only intended audience, and that the calling client has control of how they use the API.

The consequence of such a policy is that clients may have to handle multiple access tokens, one for each audience. In a machine-to-machine scenario this is easily done by performing multiple requests to the token endpoint. In the scenario where user information is required in the token, the situation is more complex. In this case, the web browser must perform multiple calls to the authorize endpoint - once for each token/audience that is requested.

The resulting authorization code must be redeemed for an access token (and possibly a refresh token) before the next token is requested. Since HelseID supports single-signon this won’t affect the user, but it is still more complex to implement than a single authorization request for all scopes the client needs.

Even though we recommend that APIs reject tokens with mutliple audiences HelseID will continue to support them. There are several valid scenarios where these tokens should be accepted, and not all APIs have the same risk profiles. The individual API have to decide if they want to implement this policy or not.