An API must audience-restrict assertions to ensure the information or access granted by a token is only usable by its intended recipient. Assertions like JWTs or SAML tokens often include an "audience" (aud) claim, which specifies the exact service or API that is authorized to consume the assertion. Without this restriction, a token could be intercepted and used by an unintended or malicious service, potentially leading to unauthorized access or data breaches. By enforcing audience restrictions, the API strengthens its security posture by ensuring assertions cannot be misused outside their intended context.
Check
Review the organization's identification and authentication policy to understand the specific audience restrictions defined, including which entities or systems are allowed to consume the assertions and how audience claims are handled.
Check the API's implementation to verify assertions include proper audience claims (e.g., aud in JWT tokens). The audience claim must specify which entity or service is permitted to use the assertion, in accordance with the organization's policy.
Simulate the use of assertions by different services or users to verify the API correctly enforces audience restrictions. The API must reject any assertion that is not intended for the current consumer or service, based on the audience claim.
Verify the audience values specified in the assertions align with the organization's policy.
Check that the API logs events related to audience validation, including successful and failed attempts to access protected resources based on audience restrictions. These logs must be detailed enough to identify when audience-related validation occurs and whether access was granted or denied.
If the API relies on third-party identity providers (IdPs) or other systems for generating assertions, verify these systems correctly implement audience restriction policies. Test the integration between these systems and the API to verify that audience-restricted assertions are being correctly issued and consumed.
Review the API's documentation to confirm audience restrictions are implemented correctly, and ensure the API is fully compliant with the organization's defined audience control policies.
If the API does not audience restrict assertions in accordance with organization-defined identification and authentication policy, this is a finding.
Fix
Build or configure the API to audience-restrict assertions in accordance with organization-defined identification and authentication policy.