gray-machine-46287
07/17/2025, 3:47 PMaud
?brief-egg-61061
07/17/2025, 3:47 PMbrief-egg-61061
07/17/2025, 3:48 PMaud
) by configuring the allowed audiences in the OAuth2 client settings. When creating or updating an OAuth2 client, you can specify the audience
parameter as a list of URLs that the client is allowed to request. During OAuth2 flows like Authorization Code Grant, the client can then request audiences at the /oauth2/auth
endpoint using the audience
query parameter. The requested audience is validated against the allowed audiences defined in the client configuration. If the requested audience is not in the allow list, the request will be rejected. Here’s an example of how to set allowed audiences in the client configuration: json { "client_id": "...", // .. "audience": ["<https://api.my-cloud.com/user>", "<https://some-tenant.my-cloud.com/>"], // .. }
And an example of requesting an audience during the authorization flow: https://$<http://PROJECT_SLUG.projects.oryapis.com/oauth2/auth|PROJECT_SLUG.projects.oryapis.com/oauth2/auth> ?client_id=... &scope=... &audience=<https://api.my-cloud.com/user+https://some-tenant.my-cloud.com/>
The audience values are validated against the client’s allowed audiences, and only those present in the allow list will be accepted. This mechanism effectively forces the client to request only permitted audiences. You can also control the granted audience during consent handling by setting grant_access_token_audience
in the consent acceptance payload [OAuth2 token audience](https://www.ory.sh/docs/hydra/guides/audiences). If you need to enforce that a client always requests a specific audience, you must ensure that only the desired audience(s) are present in the client’s allow list, and handle consent accordingly. The knowledge sources do not mention a way to make the audience
parameter strictly required for every request, but restricting the allow list achieves a similar effect.