Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello! We're experimenting with userinfo replies formatted as JWTs. It appears from our testing that the audience of these JWTs is always the client_id of the bearer token that was used to get the userinfo. It does not appear that the audience of the bearer token or id token have any effect on this. Am I missing something, or is there no way to customize the audience of this token?

Hello! The spec states the following:

```REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case-sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case-sensitive string.```
Currently, we don't support adding additional audience values currently and just use the client_id as required by the spec. You can look at some of the conversation in these issues:

<https://github.com/ory/hydra/issues/790>
<https://github.com/ory/hydra/issues/2042>