JWT - Subject and Audience

sub identifies who is calling (CareerGPT), while aud identifies which service the token is for (Logging), ensuring scoped, secure service-to-service communication.

The sub and aud fields are part of JWT claims and reflect standard identity and authorization semantics in distributed systems:

  • Subject (sub) → Represents the caller’s identity (e.g., CareerGPT microservice).

  • Audience (aud) → Defines the intended recipient/service (e.g., Logging microservice).

  • This pattern is known as service-to-service authentication (or machine-to-machine auth) and supports principle of least privilege by scoping tokens to a specific target.

  • Architecturally, this is part of a Zero Trust microservices architecture, where issuer (iss) is the trust anchor and tokens are validated per service boundary.

For example consider the following endpoint, and request body

Endpoint: 

POST /token 

Request Body Example:

{

 "sub": "careergpt-backend", 

 "aud": "logging-service

1. What is sub (Subject)?

  • Represents who the token is about — the entity (service, user, or client) that is being authenticated.

  • In your example:

    "sub": "careergpt-backend"

    This means the token is being issued to the CareerGPT backend microservice.

  • Purpose:

    • Lets downstream services (e.g., Logging-Backend) know which service is making the request.

    • Supports auditing (e.g., “Which service generated this log entry?”).

    • Enables revocation or scoping of tokens per service if needed later.

2. What is aud (Audience)?

  • Represents who the token is intended for — the target service that will validate and accept the token.

  • In your example:

    "aud": "logging-service"

    This means the token is meant to be presented to the Logging-Backend service.

  • Purpose:

    • Ensures that even if the token is stolen, it can only be used with the intended service (audience check).

    • Prevents token reuse across unrelated services (e.g., a Logging token can’t be used against Notification-Backend).

Why this combination is important

  • sub = careergpt-backend: Identifies the caller.

  • aud = logging-service: Identifies the recipient.

  • Together, they create a trust contract:

    • CareerGPT requests a token to talk to Logging.

    • Identity-Backend signs a token that explicitly states: “This token is for Logging, and it was issued to CareerGPT.”

    • Logging-Backend validates:

      • Issuer = Identity-Backend

      • Audience = Logging-Backend

      • Subject = CareerGPT-Backend (for auditing/logging)

Benefit in your architecture


Comments

Post a Comment

Popular posts from this blog

Feature: Audit log for one login, and identity service

Image
Customer (Product) Page High-Level System Design Diagram (PlantUML) Sequence Diagram: Audit Event Ingestion Sequence Diagram: Orchestration Event For a High-Level System (Component) Diagram The queue is implemented as message_queue (generic), and the audit log service consumes from it, writing to a dedicated audit_log table. The logging service also consumes from the same message_queue and writes to log_store. Orchestration/other services use the same queue. Summary Table: What Writes Where Event Type Goes Into Consumed By Final Storage audit message_queue Audit Log Service audit_log table log message_queue Logging Service log_store table doc_uploaded message_queue Orchestration Worker (business DB, or triggers next event) ocr_ready message_queue Notification Worker, etc. (notification log, etc.)  Core Tables message_queue – universal event bus (temp buffer) audit_log – immutable audit/compliance events log_store – application logs (op...
Read more

Getting started - Build your data science lab environment

This guide explains how to set up a complete data science environment for the udemy program. A proper setup ensures compatibility and avoids recurring environment issues.  1. Overview Goal : Create a full-featured environment with sufficient resources for all course exercises. Recommendation : Use Anaconda for the most reliable setup. Alternative : Use a Python virtual environment with pip if Anaconda isn’t working. 2. Setup Options Primary (Recommended) Create a dedicated Anaconda environment (isolated, compatible). Alternative Use a standard Python virtualenv + pip (faster but less reliable). 3. Windows Setup Steps Clone Course Repository git clone https://github.com/ed-donner/llm_engineering/ Follow the repository’s README.md instructions for additional setup details. Create Anaconda Environment Inside the llm_engineering folder: conda env create -f environment.yml ⏳ This may take several minutes. Activate the environment: conda activate llms Deactivat...
Read more

QA - Run #1 - Results

Image
# QA Report for Tag QA_July2025_A - **Tag/Commit:** QA_July2025_A (`f32abc1`) - **Date:** 2025-08-01 - **QA Outcomes:** All tests passed except for file upload (see below)... - **Environment:** Windows 10, Python 3.12, requirements.txt as of tag - **Notes:** See log for detailed results. ## Issue Found - **Step:** - **Bug:** - **Log excerpt:** - **Screenshot:** For this QA run, we begin with pristine state by: Stop all services Delete logs.db, and jobs.db Delete all files in doc_store folder Start all services Test, you should see no data on index page, and query should result in no data found error Next, go ahead and upload new1.txt, and after that new2.txt Issue the query: "can you summarize all of the todo items you can find, seperating each one on a single line, with due date first, then title, and description with any details you can augment" Expected Answer: - August 1, 2025: Respond to Amira and discuss weekend plans - August 3, 2025: Go to Somesh class and finish ta...
Read more