<@U04UQ68083H> Can we force an OAuth2 client to re...
# ory-copilot
g
@chilly-king-10285 Can we force an OAuth2 client to request an audience
aud
?
b
A message from kapa.ai
Yes, you can require an OAuth2 client to request a specific audience (
aud
) by configuring the allowed audiences in the OAuth2 client settings. When creating or updating an OAuth2 client, you can specify the
audience
parameter as a list of URLs that the client is allowed to request. During OAuth2 flows like Authorization Code Grant, the client can then request audiences at the
/oauth2/auth
endpoint using the
audience
query parameter. The requested audience is validated against the allowed audiences defined in the client configuration. If the requested audience is not in the allow list, the request will be rejected. Here’s an example of how to set allowed audiences in the client configuration:
Copy code
json {   "client_id": "...",   // ..   "audience": ["<https://api.my-cloud.com/user>", "<https://some-tenant.my-cloud.com/>"],   // .. }
And an example of requesting an audience during the authorization flow:
Copy code
https://$<http://PROJECT_SLUG.projects.oryapis.com/oauth2/auth|PROJECT_SLUG.projects.oryapis.com/oauth2/auth>   ?client_id=...   &scope=...   &audience=<https://api.my-cloud.com/user+https://some-tenant.my-cloud.com/>
The audience values are validated against the client’s allowed audiences, and only those present in the allow list will be accepted. This mechanism effectively forces the client to request only permitted audiences. You can also control the granted audience during consent handling by setting
grant_access_token_audience
in the consent acceptance payload [OAuth2 token audience](https://www.ory.sh/docs/hydra/guides/audiences). If you need to enforce that a client always requests a specific audience, you must ensure that only the desired audience(s) are present in the client’s allow list, and handle consent accordingly. The knowledge sources do not mention a way to make the
audience
parameter strictly required for every request, but restricting the allow list achieves a similar effect.